ECB, CFB, OFB,
+ * This class implements the DESede algorithm (DES-EDE, tripleDES) in
+ * its various modes (ECB, CFB, OFB,
* CBC, PCBC) and padding schemes
* (PKCS5Padding, NoPadding,
* ISO10126Padding).
diff --git a/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java b/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
index f83ae597b52ea68c7839653d94eeac74fefa379a..4af003d68ae791e3c26298b7a556bb925c0cbb7f 100644
--- a/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,8 @@ javax.crypto.interfaces.DHPrivateKey, Serializable {
ike.initCause(e);
throw ike;
} catch (IOException e) {
- InvalidKeyException ike = new InvalidKeyException("Error parsing key encoding: " + e.getMessage());
+ InvalidKeyException ike = new InvalidKeyException(
+ "Error parsing key encoding: " + e.getMessage());
ike.initCause(e);
throw ike;
}
@@ -300,7 +301,8 @@ javax.crypto.interfaces.DHPrivateKey, Serializable {
DerInputStream in = new DerInputStream(this.key);
this.x = in.getBigInteger();
} catch (IOException e) {
- InvalidKeyException ike = new InvalidKeyException("Error parsing key encoding: " + e.getMessage());
+ InvalidKeyException ike = new InvalidKeyException(
+ "Error parsing key encoding: " + e.getMessage());
ike.initCause(e);
throw ike;
}
diff --git a/src/share/classes/com/sun/crypto/provider/DHPublicKey.java b/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
index 9318fbd8caf59919ecc412d3a2f684b810c267d4..46bf6024dd446f3652ff700a81cfea236e72b790 100644
--- a/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -180,7 +180,8 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
throw new InvalidKeyException("Private-value length too big");
} catch (IOException e) {
- throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
+ throw new InvalidKeyException(
+ "Error parsing key encoding: " + e.toString());
}
}
@@ -281,7 +282,8 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
DerInputStream in = new DerInputStream(this.key);
this.y = in.getBigInteger();
} catch (IOException e) {
- throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
+ throw new InvalidKeyException(
+ "Error parsing key encoding: " + e.toString());
}
}
diff --git a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
index 5d54688069914ee0cbca6bd7208f386c44cdc31a..1f37e18579661251f15454cb9036a4af64aff0f1 100644
--- a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
+++ b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -764,7 +764,8 @@ public final class JceKeyStore extends KeyStoreSpi {
cf = (CertificateFactory)cfs.get(certType);
} else {
// create new certificate factory
- cf = CertificateFactory.getInstance(certType);
+ cf = CertificateFactory.getInstance(
+ certType);
// store the certificate factory so we can
// reuse it later
cfs.put(certType, cf);
@@ -863,8 +864,9 @@ public final class JceKeyStore extends KeyStoreSpi {
dis.readFully(actual);
for (int i = 0; i < computed.length; i++) {
if (computed[i] != actual[i]) {
- throw new IOException("Keystore was tampered with, or "
- + "password was incorrect");
+ throw new IOException(
+ "Keystore was tampered with, or "
+ + "password was incorrect");
}
}
}
diff --git a/src/share/classes/com/sun/crypto/provider/OAEPParameters.java b/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
index 65a85e753315ed68b10c598d457c11c2ecc865c8..07d613babe8b757f1759e5c23f3c092ef0238b58 100644
--- a/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
+++ b/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -139,7 +139,8 @@ public final class OAEPParameters extends AlgorithmParametersSpi {
if (!val.getOID().equals((Object) OID_MGF1)) {
throw new IOException("Only MGF1 mgf is supported");
}
- AlgorithmId params = AlgorithmId.parse(new DerValue(val.getEncodedParams()));
+ AlgorithmId params = AlgorithmId.parse(
+ new DerValue(val.getEncodedParams()));
String mgfDigestName = convertToStandardName(params.getName());
if (mgfDigestName.equals("SHA-1")) {
mgfSpec = MGF1ParameterSpec.SHA1;
@@ -150,7 +151,8 @@ public final class OAEPParameters extends AlgorithmParametersSpi {
} else if (mgfDigestName.equals("SHA-512")) {
mgfSpec = MGF1ParameterSpec.SHA512;
} else {
- throw new IOException("Unrecognized message digest algorithm");
+ throw new IOException(
+ "Unrecognized message digest algorithm");
}
} else if (data.isContextSpecific((byte) 0x02)) {
// pSource algid
diff --git a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
index c5c0d844912f832de73bb0483fecc4a45060a282..7f74609c002aeb0720e7d23a4ce6190a0ecfe536 100644
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
+++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -121,8 +121,8 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
this.key = deriveKey(prf, passwdBytes, salt, iterCount, keyLength);
}
- private static byte[] deriveKey(final Mac prf, final byte[] password, byte[] salt,
- int iterCount, int keyLengthInBit) {
+ private static byte[] deriveKey(final Mac prf, final byte[] password,
+ byte[] salt, int iterCount, int keyLengthInBit) {
int keyLength = keyLengthInBit/8;
byte[] key = new byte[keyLength];
try {
@@ -155,8 +155,9 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
if (this == obj) return true;
if (this.getClass() != obj.getClass()) return false;
SecretKey sk = (SecretKey)obj;
- return prf.getAlgorithm().equalsIgnoreCase(sk.getAlgorithm()) &&
- Arrays.equals(password, sk.getEncoded());
+ return prf.getAlgorithm().equalsIgnoreCase(
+ sk.getAlgorithm()) &&
+ Arrays.equals(password, sk.getEncoded());
}
};
prf.init(macKey);
diff --git a/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java b/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
index fce352f1d3c651a58ca24762fca9c3d2585e88eb..e091e90e2c116835e891e9c3150ffe74172658ef 100644
--- a/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
+++ b/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -206,7 +206,8 @@ final class PKCS12PBECipherCore {
(algo.equalsIgnoreCase("RC2")?"RC2_40":algo), "SunJCE");
} catch (GeneralSecurityException gse) {
// should never happen
- throw new RuntimeException("SunJCE provider is not configured properly");
+ throw new RuntimeException(
+ "SunJCE provider is not configured properly");
}
try {
params.init(pbeSpec);
@@ -316,7 +317,8 @@ final class PKCS12PBECipherCore {
try {
paramSpec = params.getParameterSpec(PBEParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
- throw new InvalidAlgorithmParameterException("requires PBE parameters");
+ throw new InvalidAlgorithmParameterException(
+ "requires PBE parameters");
}
}
implInit(opmode, key, paramSpec, random);
diff --git a/src/share/classes/com/sun/crypto/provider/SunJCE.java b/src/share/classes/com/sun/crypto/provider/SunJCE.java
index df68b11aaebfbbb1e254e9d84c15c6c8a13918b9..4b53f84fedc0fc63cc1ee933503afb3b3e2551a5 100644
--- a/src/share/classes/com/sun/crypto/provider/SunJCE.java
+++ b/src/share/classes/com/sun/crypto/provider/SunJCE.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -423,15 +423,31 @@ public final class SunJCE extends Provider {
/*
* SSL/TLS mechanisms
+ *
+ * These are strictly internal implementations and may
+ * be changed at any time. These names were chosen
+ * because PKCS11/SunPKCS11 does not yet have TLS1.2
+ * mechanisms, and it will cause calls to come here.
*/
put("KeyGenerator.SunTlsPrf",
- "com.sun.crypto.provider.TlsPrfGenerator");
- put("KeyGenerator.SunTlsRsaPremasterSecret",
- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator");
+ "com.sun.crypto.provider.TlsPrfGenerator$V10");
+ put("KeyGenerator.SunTls12Prf",
+ "com.sun.crypto.provider.TlsPrfGenerator$V12");
+
put("KeyGenerator.SunTlsMasterSecret",
- "com.sun.crypto.provider.TlsMasterSecretGenerator");
+ "com.sun.crypto.provider.TlsMasterSecretGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12MasterSecret",
+ "SunTlsMasterSecret");
+
put("KeyGenerator.SunTlsKeyMaterial",
- "com.sun.crypto.provider.TlsKeyMaterialGenerator");
+ "com.sun.crypto.provider.TlsKeyMaterialGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12KeyMaterial",
+ "SunTlsKeyMaterial");
+
+ put("KeyGenerator.SunTlsRsaPremasterSecret",
+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12RsaPremasterSecret",
+ "SunTlsRsaPremasterSecret");
return null;
}
diff --git a/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
index 91a8d3b5a99230eb3e248c5a5236e92e67ed0202..8e4f6a15d8e5f7dfd1cc07bc8319c60128bf3834 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -65,12 +65,14 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
}
this.spec = (TlsKeyMaterialParameterSpec)params;
if ("RAW".equals(spec.getMasterSecret().getFormat()) == false) {
- throw new InvalidAlgorithmParameterException("Key format must be RAW");
+ throw new InvalidAlgorithmParameterException(
+ "Key format must be RAW");
}
- protocolVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
- if ((protocolVersion < 0x0300) || (protocolVersion > 0x0302)) {
- throw new InvalidAlgorithmParameterException
- ("Only SSL 3.0, TLS 1.0, and TLS 1.1 supported");
+ protocolVersion = (spec.getMajorVersion() << 8)
+ | spec.getMinorVersion();
+ if ((protocolVersion < 0x0300) || (protocolVersion > 0x0303)) {
+ throw new InvalidAlgorithmParameterException(
+ "Only SSL 3.0, TLS 1.0/1.1/1.2 supported");
}
}
@@ -80,8 +82,8 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsKeyMaterialGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsKeyMaterialGenerator must be initialized");
}
try {
return engineGenerateKey0();
@@ -99,8 +101,8 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
SecretKey clientMacKey = null;
SecretKey serverMacKey = null;
SecretKey clientCipherKey = null;
- IvParameterSpec clientIv = null;
SecretKey serverCipherKey = null;
+ IvParameterSpec clientIv = null;
IvParameterSpec serverIv = null;
int macLength = spec.getMacKeyLength();
@@ -109,21 +111,33 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
int keyLength = spec.getCipherKeyLength();
int ivLength = spec.getIvLength();
- int keyBlockLen = macLength + keyLength + (isExportable ? 0 : ivLength);
+ int keyBlockLen = macLength + keyLength
+ + (isExportable ? 0 : ivLength);
keyBlockLen <<= 1;
byte[] keyBlock = new byte[keyBlockLen];
- MessageDigest md5 = MessageDigest.getInstance("MD5");
- MessageDigest sha = MessageDigest.getInstance("SHA1");
+ // These may be used again later for exportable suite calculations.
+ MessageDigest md5 = null;
+ MessageDigest sha = null;
// generate key block
- if (protocolVersion >= 0x0301) {
- // TLS
+ if (protocolVersion >= 0x0303) {
+ // TLS 1.2
+ byte[] seed = concat(serverRandom, clientRandom);
+ keyBlock = doTLS12PRF(masterSecret, LABEL_KEY_EXPANSION, seed,
+ keyBlockLen, spec.getPRFHashAlg(),
+ spec.getPRFHashLength(), spec.getPRFBlockSize());
+ } else if (protocolVersion >= 0x0301) {
+ // TLS 1.0/1.1
+ md5 = MessageDigest.getInstance("MD5");
+ sha = MessageDigest.getInstance("SHA1");
byte[] seed = concat(serverRandom, clientRandom);
- keyBlock = doPRF(masterSecret, LABEL_KEY_EXPANSION, seed,
+ keyBlock = doTLS10PRF(masterSecret, LABEL_KEY_EXPANSION, seed,
keyBlockLen, md5, sha);
} else {
// SSL
+ md5 = MessageDigest.getInstance("MD5");
+ sha = MessageDigest.getInstance("SHA1");
keyBlock = new byte[keyBlockLen];
byte[] tmp = new byte[20];
@@ -169,6 +183,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
String alg = spec.getCipherAlgorithm();
+ // cipher keys
byte[] clientKeyBytes = new byte[keyLength];
System.arraycopy(keyBlock, ofs, clientKeyBytes, 0, keyLength);
ofs += keyLength;
@@ -182,6 +197,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
clientCipherKey = new SecretKeySpec(clientKeyBytes, alg);
serverCipherKey = new SecretKeySpec(serverKeyBytes, alg);
+ // IV keys if needed.
if (ivLength != 0) {
tmp = new byte[ivLength];
@@ -194,21 +210,28 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
serverIv = new IvParameterSpec(tmp);
}
} else {
+ // if exportable suites, calculate the alternate
// cipher key expansion and IV generation
- if (protocolVersion >= 0x0301) {
+ if (protocolVersion >= 0x0302) {
+ // TLS 1.1+
+ throw new RuntimeException(
+ "Internal Error: TLS 1.1+ should not be negotiating" +
+ "exportable ciphersuites");
+ } else if (protocolVersion == 0x0301) {
+ // TLS 1.0
byte[] seed = concat(clientRandom, serverRandom);
- tmp = doPRF(clientKeyBytes, LABEL_CLIENT_WRITE_KEY, seed,
+ tmp = doTLS10PRF(clientKeyBytes, LABEL_CLIENT_WRITE_KEY, seed,
expandedKeyLength, md5, sha);
clientCipherKey = new SecretKeySpec(tmp, alg);
- tmp = doPRF(serverKeyBytes, LABEL_SERVER_WRITE_KEY, seed,
+ tmp = doTLS10PRF(serverKeyBytes, LABEL_SERVER_WRITE_KEY, seed,
expandedKeyLength, md5, sha);
serverCipherKey = new SecretKeySpec(tmp, alg);
if (ivLength != 0) {
tmp = new byte[ivLength];
- byte[] block = doPRF(null, LABEL_IV_BLOCK, seed,
+ byte[] block = doTLS10PRF(null, LABEL_IV_BLOCK, seed,
ivLength << 1, md5, sha);
System.arraycopy(block, 0, tmp, 0, ivLength);
clientIv = new IvParameterSpec(tmp);
@@ -216,6 +239,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
serverIv = new IvParameterSpec(tmp);
}
} else {
+ // SSLv3
tmp = new byte[expandedKeyLength];
md5.update(clientKeyBytes);
diff --git a/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
index 9a6fb80180268d0f79b27195d4e423cfbffcd5c1..1d5e97aefbf26d1b5a730c8799bd7a5b68c927c4 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -64,12 +64,14 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
}
this.spec = (TlsMasterSecretParameterSpec)params;
if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) {
- throw new InvalidAlgorithmParameterException("Key format must be RAW");
+ throw new InvalidAlgorithmParameterException(
+ "Key format must be RAW");
}
- protocolVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
- if ((protocolVersion < 0x0300) || (protocolVersion > 0x0302)) {
- throw new InvalidAlgorithmParameterException
- ("Only SSL 3.0, TLS 1.0, and TLS 1.1 supported");
+ protocolVersion = (spec.getMajorVersion() << 8)
+ | spec.getMinorVersion();
+ if ((protocolVersion < 0x0300) || (protocolVersion > 0x0303)) {
+ throw new InvalidAlgorithmParameterException(
+ "Only SSL 3.0, TLS 1.0/1.1/1.2 supported");
}
}
@@ -79,8 +81,8 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsMasterSecretGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsMasterSecretGenerator must be initialized");
}
SecretKey premasterKey = spec.getPremasterSecret();
byte[] premaster = premasterKey.getEncoded();
@@ -103,7 +105,11 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
if (protocolVersion >= 0x0301) {
byte[] seed = concat(clientRandom, serverRandom);
- master = doPRF(premaster, LABEL_MASTER_SECRET, seed, 48);
+ master = ((protocolVersion >= 0x0303) ?
+ doTLS12PRF(premaster, LABEL_MASTER_SECRET, seed, 48,
+ spec.getPRFHashAlg(), spec.getPRFHashLength(),
+ spec.getPRFBlockSize()) :
+ doTLS10PRF(premaster, LABEL_MASTER_SECRET, seed, 48));
} else {
master = new byte[48];
MessageDigest md5 = MessageDigest.getInstance("MD5");
@@ -124,7 +130,8 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
}
- return new TlsMasterSecretKey(master, premasterMajor, premasterMinor);
+ return new TlsMasterSecretKey(master, premasterMajor,
+ premasterMinor);
} catch (NoSuchAlgorithmException e) {
throw new ProviderException(e);
} catch (DigestException e) {
diff --git a/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
index f73045e6eb26a357f7df9a261a404422d350dae7..137ba255c339928bf0a15c34efb04ae2a92ce9f6 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,11 +37,15 @@ import sun.security.internal.spec.TlsPrfParameterSpec;
/**
* KeyGenerator implementation for the TLS PRF function.
+ * + * This class duplicates the HMAC functionality (RFC 2104) with + * performance optimizations (e.g. XOR'ing keys with padding doesn't + * need to be redone for each HMAC operation). * * @author Andreas Sterbenz * @since 1.6 */ -public final class TlsPrfGenerator extends KeyGeneratorSpi { +abstract class TlsPrfGenerator extends KeyGeneratorSpi { // magic constants and utility functions, also used by other files // in this package @@ -69,8 +73,10 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { * TLS HMAC "inner" and "outer" padding. This isn't a function * of the digest algorithm. */ - private static final byte[] HMAC_ipad = genPad((byte)0x36, 64); - private static final byte[] HMAC_opad = genPad((byte)0x5c, 64); + private static final byte[] HMAC_ipad64 = genPad((byte)0x36, 64); + private static final byte[] HMAC_ipad128 = genPad((byte)0x36, 128); + private static final byte[] HMAC_opad64 = genPad((byte)0x5c, 64); + private static final byte[] HMAC_opad128 = genPad((byte)0x5c, 128); // SSL3 magic mix constants ("A", "BB", "CCC", ...) final static byte[][] SSL3_CONST = genConst(); @@ -123,8 +129,8 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { this.spec = (TlsPrfParameterSpec)params; SecretKey key = spec.getSecret(); if ((key != null) && ("RAW".equals(key.getFormat()) == false)) { - throw new InvalidAlgorithmParameterException - ("Key encoding format must be RAW"); + throw new InvalidAlgorithmParameterException( + "Key encoding format must be RAW"); } } @@ -132,17 +138,21 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { throw new InvalidParameterException(MSG); } - protected SecretKey engineGenerateKey() { + SecretKey engineGenerateKey0(boolean tls12) { if (spec == null) { - throw new IllegalStateException - ("TlsPrfGenerator must be initialized"); + throw new IllegalStateException( + "TlsPrfGenerator must be initialized"); } SecretKey key = spec.getSecret(); byte[] secret = (key == null) ? null : key.getEncoded(); try { byte[] labelBytes = spec.getLabel().getBytes("UTF8"); int n = spec.getOutputLength(); - byte[] prfBytes = doPRF(secret, labelBytes, spec.getSeed(), n); + byte[] prfBytes = (tls12 ? + doTLS12PRF(secret, labelBytes, spec.getSeed(), n, + spec.getPRFHashAlg(), spec.getPRFHashLength(), + spec.getPRFBlockSize()) : + doTLS10PRF(secret, labelBytes, spec.getSeed(), n)); return new SecretKeySpec(prfBytes, "TlsPrf"); } catch (GeneralSecurityException e) { throw new ProviderException("Could not generate PRF", e); @@ -151,16 +161,67 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { } } - static final byte[] doPRF(byte[] secret, byte[] labelBytes, byte[] seed, - int outputLength) throws NoSuchAlgorithmException, DigestException { + static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, + String prfHash, int prfHashLength, int prfBlockSize) + throws NoSuchAlgorithmException, DigestException { + if (prfHash == null) { + throw new NoSuchAlgorithmException("Unspecified PRF algorithm"); + } + MessageDigest prfMD = MessageDigest.getInstance(prfHash); + return doTLS12PRF(secret, labelBytes, seed, outputLength, + prfMD, prfHashLength, prfBlockSize); + } + + static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, + MessageDigest mdPRF, int mdPRFLen, int mdPRFBlockSize) + throws DigestException { + + if (secret == null) { + secret = B0; + } + + // If we have a long secret, digest it first. + if (secret.length > mdPRFBlockSize) { + secret = mdPRF.digest(secret); + } + + byte[] output = new byte[outputLength]; + byte [] ipad; + byte [] opad; + + switch (mdPRFBlockSize) { + case 64: + ipad = HMAC_ipad64.clone(); + opad = HMAC_opad64.clone(); + break; + case 128: + ipad = HMAC_ipad128.clone(); + opad = HMAC_opad128.clone(); + break; + default: + throw new DigestException("Unexpected block size."); + } + + // P_HASH(Secret, label + seed) + expand(mdPRF, mdPRFLen, secret, 0, secret.length, labelBytes, + seed, output, ipad, opad); + + return output; + } + + static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength) throws NoSuchAlgorithmException, + DigestException { MessageDigest md5 = MessageDigest.getInstance("MD5"); MessageDigest sha = MessageDigest.getInstance("SHA1"); - return doPRF(secret, labelBytes, seed, outputLength, md5, sha); + return doTLS10PRF(secret, labelBytes, seed, outputLength, md5, sha); } - static final byte[] doPRF(byte[] secret, byte[] labelBytes, byte[] seed, - int outputLength, MessageDigest md5, MessageDigest sha) - throws DigestException { + static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, MessageDigest md5, + MessageDigest sha) throws DigestException { /* * Split the secret into two halves S1 and S2 of same length. * S1 is taken from the first half of the secret, S2 from the @@ -183,10 +244,12 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { byte[] output = new byte[outputLength]; // P_MD5(S1, label + seed) - expand(md5, 16, secret, 0, seclen, labelBytes, seed, output); + expand(md5, 16, secret, 0, seclen, labelBytes, seed, output, + HMAC_ipad64.clone(), HMAC_opad64.clone()); // P_SHA-1(S2, label + seed) - expand(sha, 20, secret, off, seclen, labelBytes, seed, output); + expand(sha, 20, secret, off, seclen, labelBytes, seed, output, + HMAC_ipad64.clone(), HMAC_opad64.clone()); return output; } @@ -201,16 +264,13 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { * @param seed the seed * @param output the output array */ - private static final void expand(MessageDigest digest, int hmacSize, + private static void expand(MessageDigest digest, int hmacSize, byte[] secret, int secOff, int secLen, byte[] label, byte[] seed, - byte[] output) throws DigestException { + byte[] output, byte[] pad1, byte[] pad2) throws DigestException { /* * modify the padding used, by XORing the key into our copy of that * padding. That's to avoid doing that for each HMAC computation. */ - byte[] pad1 = HMAC_ipad.clone(); - byte[] pad2 = HMAC_opad.clone(); - for (int i = 0; i < secLen; i++) { pad1[i] ^= secret[i + secOff]; pad2[i] ^= secret[i + secOff]; @@ -275,7 +335,34 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { } remaining -= k; } + } + /** + * A KeyGenerator implementation that supports TLS 1.2. + *
+ * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the PRF
+ * calculations. As of 2010, there is no PKCS11-level support for TLS
+ * 1.2 PRF calculations, and no known OS's have an internal variant
+ * we could use. Therefore for TLS 1.2, we are updating JSSE to request
+ * a different provider algorithm: "SunTls12Prf". If we reused the
+ * name "SunTlsPrf", the PKCS11 provider would need be updated to
+ * fail correctly when presented with the wrong version number
+ * (via Provider.Service.supportsParameters()), and add the
+ * appropriate supportsParamters() checks into KeyGenerators (not
+ * currently there).
+ */
+ static public class V12 extends TlsPrfGenerator {
+ protected SecretKey engineGenerateKey() {
+ return engineGenerateKey0(true);
+ }
}
+ /**
+ * A KeyGenerator implementation that supports TLS 1.0/1.1.
+ */
+ static public class V10 extends TlsPrfGenerator {
+ protected SecretKey engineGenerateKey() {
+ return engineGenerateKey0(false);
+ }
+ }
}
diff --git a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
index 9402a1bb2930ddc249762a9a2495522586d5acad..1820ee8cbc384edb48929505bf5090452cae8837 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -69,8 +69,8 @@ public final class TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsRsaPremasterSecretGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsRsaPremasterSecretGenerator must be initialized");
}
if (random == null) {
random = new SecureRandom();
diff --git a/src/share/classes/javax/net/ssl/ExtendedSSLSession.java b/src/share/classes/javax/net/ssl/ExtendedSSLSession.java
new file mode 100644
index 0000000000000000000000000000000000000000..a9a5ed2968a936d9689f5f85d408135c371bcd08
--- /dev/null
+++ b/src/share/classes/javax/net/ssl/ExtendedSSLSession.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package javax.net.ssl;
+
+/**
+ * Extends the SSLSession interface to support additional
+ * session attributes.
+ *
+ * @since 1.7
+ */
+public abstract class ExtendedSSLSession implements SSLSession {
+ /**
+ * Obtains an array of supported signature algorithms that the local side
+ * is willing to use.
+ *
+ * Note: this method is used to indicate to the peer which signature + * algorithms may be used for digital signatures in TLS 1.2. It is + * not meaningful for TLS versions prior to 1.2. + *
+ * The signature algorithm name must be a standard Java Security + * name (such as "SHA1withRSA", "SHA256withECDSA", and so on). + * See Appendix A in the + * Java Cryptography Architecture API Specification & Reference + * for information about standard algorithm names. + *
+ * Note: the local supported signature algorithms should conform to
+ * the algorithm constraints specified by
+ * {@link SSLParameters#getAlgorithmConstraints getAlgorithmConstraints()}
+ * method in SSLParameters.
+ *
+ * @return An array of supported signature algorithms, in descending
+ * order of preference. The return value is an empty array if
+ * no signature algorithm is supported.
+ *
+ * @see SSLParameters#getAlgorithmConstraints
+ */
+ public abstract String[] getLocalSupportedSignatureAlgorithms();
+
+ /**
+ * Obtains an array of supported signature algorithms that the peer is
+ * able to use.
+ *
+ * Note: this method is used to indicate to the local side which signature + * algorithms may be used for digital signatures in TLS 1.2. It is + * not meaningful for TLS versions prior to 1.2. + *
+ * The signature algorithm name must be a standard Java Security + * name (such as "SHA1withRSA", "SHA256withECDSA", and so on). + * See Appendix A in the + * Java Cryptography Architecture API Specification & Reference + * for information about standard algorithm names. + * + * @return An array of supported signature algorithms, in descending + * order of preference. The return value is an empty array if + * the peer has not sent the supported signature algorithms. + * + * @see X509KeyManager + * @see X509ExtendedKeyManager + */ + public abstract String[] getPeerSupportedSignatureAlgorithms(); +} diff --git a/src/share/classes/javax/net/ssl/HttpsURLConnection.java b/src/share/classes/javax/net/ssl/HttpsURLConnection.java index e9c478fece1549cb1deeed0a3ec631962ee98d77..6d799e3ff5fe8193a2a151eea111ba1c8cc007bf 100644 --- a/src/share/classes/javax/net/ssl/HttpsURLConnection.java +++ b/src/share/classes/javax/net/ssl/HttpsURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -188,19 +188,8 @@ class HttpsURLConnection extends HttpURLConnection *
* The default implementation will deny such connections.
*/
- private static HostnameVerifier defaultHostnameVerifier;
-
- /**
- * Initialize the default HostnameVerifier.
- */
- static {
- try {
- defaultHostnameVerifier =
- new sun.net.www.protocol.https.DefaultHostnameVerifier();
- } catch (NoClassDefFoundError e) {
- defaultHostnameVerifier = new DefaultHostnameVerifier();
- }
- }
+ private static HostnameVerifier defaultHostnameVerifier =
+ new DefaultHostnameVerifier();
/*
* The initial default HostnameVerifier. Should be
diff --git a/src/share/classes/javax/net/ssl/SSLEngine.java b/src/share/classes/javax/net/ssl/SSLEngine.java
index df3830858a6d96654dfaab89b789ab5e799d49b5..2eea55121cb6ce401edaacb0fd79e6ab4d135627 100644
--- a/src/share/classes/javax/net/ssl/SSLEngine.java
+++ b/src/share/classes/javax/net/ssl/SSLEngine.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -967,6 +967,47 @@ public abstract class SSLEngine {
public abstract SSLSession getSession();
+ /**
+ * Returns the {@code SSLSession} being constructed during a SSL/TLS
+ * handshake.
+ *
+ * TLS protocols may negotiate parameters that are needed when using + * an instance of this class, but before the {@code SSLSession} has + * been completely initialized and made available via {@code getSession}. + * For example, the list of valid signature algorithms may restrict + * the type of certificates that can used during TrustManager + * decisions, or the maximum TLS fragment packet sizes can be + * resized to better support the network environment. + *
+ * This method provides early access to the {@code SSLSession} being + * constructed. Depending on how far the handshake has progressed, + * some data may not yet be available for use. For example, if a + * remote server will be sending a Certificate chain, but that chain + * has yet not been processed, the {@code getPeerCertificates} + * method of {@code SSLSession} will throw a + * SSLPeerUnverifiedException. Once that chain has been processed, + * {@code getPeerCertificates} will return the proper value. + * + * @see SSLSocket + * @see SSLSession + * @see ExtendedSSLSession + * @see X509ExtendedKeyManager + * @see X509ExtendedTrustManager + * + * @return null if this instance is not currently handshaking, or + * if the current handshake has not progressed far enough to + * create a basic SSLSession. Otherwise, this method returns the + * {@code SSLSession} currently being negotiated. + * @throws UnsupportedOperationException if the underlying provider + * does not implement the operation. + * + * @since 1.7 + */ + public SSLSession getHandshakeSession() { + throw new UnsupportedOperationException(); + } + + /** * Initiates handshaking (initial or renegotiation) on this SSLEngine. *
diff --git a/src/share/classes/javax/net/ssl/SSLParameters.java b/src/share/classes/javax/net/ssl/SSLParameters.java index ed8913230afbd8ee0fb6b0f4dd8c28d530abd3d0..4bb20a164eb50bc3a5657e5cbaa4395c52e529c2 100644 --- a/src/share/classes/javax/net/ssl/SSLParameters.java +++ b/src/share/classes/javax/net/ssl/SSLParameters.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,24 +25,29 @@ package javax.net.ssl; +import java.security.AlgorithmConstraints; + /** * Encapsulates parameters for an SSL/TLS connection. The parameters * are the list of ciphersuites to be accepted in an SSL/TLS handshake, - * the list of protocols to be allowed, and whether SSL/TLS servers should - * request or require client authentication. - * - *
SSLParameters can be created via the constructors in this class. + * the list of protocols to be allowed, the endpoint identification + * algorithm during SSL/TLS handshaking, the algorithm constraints and + * whether SSL/TLS servers should request or require client authentication. + *
+ * SSLParameters can be created via the constructors in this class.
* Objects can also be obtained using the getSSLParameters()
* methods in
* {@link SSLSocket#getSSLParameters SSLSocket} and
+ * {@link SSLServerSocket#getSSLParameters SSLServerSocket} and
* {@link SSLEngine#getSSLParameters SSLEngine} or the
* {@link SSLContext#getDefaultSSLParameters getDefaultSSLParameters()} and
* {@link SSLContext#getSupportedSSLParameters getSupportedSSLParameters()}
* methods in SSLContext.
- *
- *
SSLParameters can be applied to a connection via the methods + *
+ * SSLParameters can be applied to a connection via the methods * {@link SSLSocket#setSSLParameters SSLSocket.setSSLParameters()} and - * {@link SSLEngine#setSSLParameters SSLEngine.getSSLParameters()}. + * {@link SSLServerSocket#setSSLParameters SSLServerSocket.setSSLParameters()} + * and {@link SSLEngine#setSSLParameters SSLEngine.getSSLParameters()}. * * @see SSLSocket * @see SSLEngine @@ -56,11 +61,13 @@ public class SSLParameters { private String[] protocols; private boolean wantClientAuth; private boolean needClientAuth; + private String identificationAlgorithm; + private AlgorithmConstraints algorithmConstraints; /** * Constructs SSLParameters. - * - *
The cipherSuites and protocols values are set to null,
+ *
+ * The cipherSuites and protocols values are set to null,
* wantClientAuth and needClientAuth are set to false.
*/
public SSLParameters() {
@@ -69,6 +76,7 @@ public class SSLParameters {
/**
* Constructs SSLParameters from the specified array of ciphersuites.
+ *
* Calling this constructor is equivalent to calling the no-args
* constructor followed by
* setCipherSuites(cipherSuites);.
@@ -82,6 +90,7 @@ public class SSLParameters {
/**
* Constructs SSLParameters from the specified array of ciphersuites
* and protocols.
+ *
* Calling this constructor is equivalent to calling the no-args
* constructor followed by
* setCipherSuites(cipherSuites); setProtocols(protocols);.
@@ -178,4 +187,71 @@ public class SSLParameters {
this.needClientAuth = needClientAuth;
}
+ /**
+ * Returns the cryptographic algorithm constraints.
+ *
+ * @return the cryptographic algorithm constraints, or null if the
+ * constraints have not been set
+ *
+ * @see #setAlgorithmConstraints(AlgorithmConstraints)
+ *
+ * @since 1.7
+ */
+ public AlgorithmConstraints getAlgorithmConstraints() {
+ return algorithmConstraints;
+ }
+
+ /**
+ * Sets the cryptographic algorithm constraints, which will be used
+ * in addition to any configured by the runtime environment.
+ *
+ * If the constraints parameter is non-null, every
+ * cryptographic algorithm, key and algorithm parameters used in the
+ * SSL/TLS handshake must be permitted by the constraints.
+ *
+ * @param constraints the algorithm constraints (or null)
+ *
+ * @since 1.7
+ */
+ public void setAlgorithmConstraints(AlgorithmConstraints constraints) {
+ // the constraints object is immutable
+ this.algorithmConstraints = constraints;
+ }
+
+ /**
+ * Gets the endpoint identification algorithm.
+ *
+ * @return the endpoint identification algorithm, or null if none
+ * has been set.
+ *
+ * @see X509ExtendedTrustManager
+ * @see #setEndpointIdentificationAlgorithm(String)
+ *
+ * @since 1.7
+ */
+ public String getEndpointIdentificationAlgorithm() {
+ return identificationAlgorithm;
+ }
+
+ /**
+ * Sets the endpoint identification algorithm.
+ *
+ * If the algorithm parameter is non-null or non-empty, the
+ * endpoint identification/verification procedures must be handled during
+ * SSL/TLS handshaking. This is to prevent man-in-the-middle attacks.
+ *
+ * @param algorithm The standard string name of the endpoint
+ * identification algorithm (or null). See Appendix A in the
+ * Java Cryptography Architecture API Specification & Reference
+ * for information about standard algorithm names.
+ *
+ * @see X509ExtendedTrustManager
+ *
+ * @since 1.7
+ */
+ public void setEndpointIdentificationAlgorithm(String algorithm) {
+ this.identificationAlgorithm = algorithm;
+ }
+
}
diff --git a/src/share/classes/javax/net/ssl/SSLServerSocket.java b/src/share/classes/javax/net/ssl/SSLServerSocket.java
index 6bcb8a678e8f14cb7acd0d41b6d16dca7fbbdf60..d5bbaaf5da5ab79d9dd0f6a60ecb87550b550570 100644
--- a/src/share/classes/javax/net/ssl/SSLServerSocket.java
+++ b/src/share/classes/javax/net/ssl/SSLServerSocket.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -56,8 +56,8 @@ import java.net.*;
* @since 1.4
* @author David Brownell
*/
-public abstract class SSLServerSocket extends ServerSocket
-{
+public abstract class SSLServerSocket extends ServerSocket {
+
/**
* Used only by subclasses.
*
@@ -449,8 +449,79 @@ public abstract class SSLServerSocket extends ServerSocket * * @return true indicates that sessions may be created; this * is the default. false indicates that an existing - * session must be resumed. + * session must be resumed * @see #setEnableSessionCreation(boolean) */ public abstract boolean getEnableSessionCreation(); + + /** + * Returns the SSLParameters in effect for newly accepted connections. + * The ciphersuites and protocols of the returned SSLParameters + * are always non-null. + * + * @return the SSLParameters in effect for newly accepted connections + * + * @see #setSSLParameters(SSLParameters) + * + * @since 1.7 + */ + public SSLParameters getSSLParameters() { + SSLParameters parameters = new SSLParameters(); + + parameters.setCipherSuites(getEnabledCipherSuites()); + parameters.setProtocols(getEnabledProtocols()); + if (getNeedClientAuth()) { + parameters.setNeedClientAuth(true); + } else if (getWantClientAuth()) { + parameters.setWantClientAuth(true); + } + + return parameters; + } + + /** + * Applies SSLParameters to newly accepted connections. + * + *
This means: + *
params.getCipherSuites() is non-null,
+ * setEnabledCipherSuites() is called with that value
+ * params.getProtocols() is non-null,
+ * setEnabledProtocols() is called with that value
+ * params.getNeedClientAuth() or
+ * params.getWantClientAuth() return true,
+ * setNeedClientAuth(true) and
+ * setWantClientAuth(true) are called, respectively;
+ * otherwise setWantClientAuth(false) is called.
+ * + * TLS protocols may negotiate parameters that are needed when using + * an instance of this class, but before the {@code SSLSession} has + * been completely initialized and made available via {@code getSession}. + * For example, the list of valid signature algorithms may restrict + * the type of certificates that can used during TrustManager + * decisions, or the maximum TLS fragment packet sizes can be + * resized to better support the network environment. + *
+ * This method provides early access to the {@code SSLSession} being + * constructed. Depending on how far the handshake has progressed, + * some data may not yet be available for use. For example, if a + * remote server will be sending a Certificate chain, but that chain + * has yet not been processed, the {@code getPeerCertificates} + * method of {@code SSLSession} will throw a + * SSLPeerUnverifiedException. Once that chain has been processed, + * {@code getPeerCertificates} will return the proper value. + *
+ * Unlike {@link #getSession()}, this method does not initiate the
+ * initial handshake and does not block until handshaking is
+ * complete.
+ *
+ * @see SSLEngine
+ * @see SSLSession
+ * @see ExtendedSSLSession
+ * @see X509ExtendedKeyManager
+ * @see X509ExtendedTrustManager
+ *
+ * @return null if this instance is not currently handshaking, or
+ * if the current handshake has not progressed far enough to
+ * create a basic SSLSession. Otherwise, this method returns the
+ * {@code SSLSession} currently being negotiated.
+ * @throws UnsupportedOperationException if the underlying provider
+ * does not implement the operation.
+ *
+ * @since 1.7
+ */
+ public SSLSession getHandshakeSession() {
+ throw new UnsupportedOperationException();
+ }
+
+
/**
* Registers an event listener to receive notifications that an
* SSL handshake has completed on this connection.
diff --git a/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java b/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
new file mode 100644
index 0000000000000000000000000000000000000000..e69a282c55f3149c9a0bcb759615911b11d336a3
--- /dev/null
+++ b/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
@@ -0,0 +1,234 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package javax.net.ssl;
+
+import java.net.Socket;
+import javax.net.ssl.X509TrustManager;
+
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+
+/**
+ * Extensions to the X509TrustManager interface to support
+ * SSL/TLS connection sensitive trust management.
+ *
+ * To prevent man-in-the-middle attacks, hostname checks can be done + * to verify that the hostname in an end-entity certificate matches the + * targeted hostname. TLS does not require such checks, but some protocols + * over TLS (such as HTTPS) do. In earlier versions of the JDK, the + * certificate chain checks were done at the SSL/TLS layer, and the hostname + * verification checks were done at the layer over TLS. This class allows + * for the checking to be done during a single call to this class. + *
+ * RFC 2830 defines the server identification specification for the "LDAPS" + * algorithm. RFC 2818 defines both the server identification and the + * client identification specification for the "HTTPS" algorithm. + * + * @see X509TrustManager + * @see HostnameVerifier + * + * @since 1.7 + */ +public abstract class X509ExtendedTrustManager implements X509TrustManager { + /** + * Given the partial or complete certificate chain provided by the + * peer, build and validate the certificate path based on the + * authentication type and ssl parameters. + *
+ * The authentication type is determined by the actual certificate + * used. For instance, if RSAPublicKey is used, the authType + * should be "RSA". Checking is case-sensitive. + *
+ * If the socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the endpoint identification
+ * algorithm of the SSLParameters is non-empty, to prevent
+ * man-in-the-middle attacks, the address that the socket
+ * connected to should be checked against the peer's identity presented
+ * in the end-entity X509 certificate, as specified in the endpoint
+ * identification algorithm.
+ *
+ * If the socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the algorithm constraints of the
+ * SSLParameters is non-null, for every certificate in the
+ * certification path, fields such as subject public key, the signature
+ * algorithm, key usage, extended key usage, etc. need to conform to the
+ * algorithm constraints in place on this socket.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param socket the socket used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkClientTrusted(X509Certificate[] chain,
+ String authType, Socket socket) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ *
+ * The authentication type is the key exchange algorithm portion + * of the cipher suites represented as a String, such as "RSA", + * "DHE_DSS". Note: for some exportable cipher suites, the key + * exchange algorithm is determined at run time during the + * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5, + * the authType should be RSA_EXPORT when an ephemeral RSA key is + * used for the key exchange, and RSA when the key from the server + * certificate is used. Checking is case-sensitive. + *
+ * If the socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the endpoint identification
+ * algorithm of the SSLParameters is non-empty, to prevent
+ * man-in-the-middle attacks, the address that the socket
+ * connected to should be checked against the peer's identity presented
+ * in the end-entity X509 certificate, as specified in the endpoint
+ * identification algorithm.
+ *
+ * If the socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the algorithm constraints of the
+ * SSLParameters is non-null, for every certificate in the
+ * certification path, fields such as subject public key, the signature
+ * algorithm, key usage, extended key usage, etc. need to conform to the
+ * algorithm constraints in place on this socket.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param socket the socket used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkServerTrusted(X509Certificate[] chain,
+ String authType, Socket socket) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ *
+ * The authentication type is determined by the actual certificate + * used. For instance, if RSAPublicKey is used, the authType + * should be "RSA". Checking is case-sensitive. + *
+ * If the engine parameter is available, and the endpoint
+ * identification algorithm of the SSLParameters is
+ * non-empty, to prevent man-in-the-middle attacks, the address that
+ * the engine connected to should be checked against
+ * the peer's identity presented in the end-entity X509 certificate,
+ * as specified in the endpoint identification algorithm.
+ *
+ * If the engine parameter is available, and the algorithm
+ * constraints of the SSLParameters is non-null, for every
+ * certificate in the certification path, fields such as subject public
+ * key, the signature algorithm, key usage, extended key usage, etc.
+ * need to conform to the algorithm constraints in place on this engine.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param engine the engine used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkClientTrusted(X509Certificate[] chain,
+ String authType, SSLEngine engine) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ *
+ * The authentication type is the key exchange algorithm portion + * of the cipher suites represented as a String, such as "RSA", + * "DHE_DSS". Note: for some exportable cipher suites, the key + * exchange algorithm is determined at run time during the + * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5, + * the authType should be RSA_EXPORT when an ephemeral RSA key is + * used for the key exchange, and RSA when the key from the server + * certificate is used. Checking is case-sensitive. + *
+ * If the engine parameter is available, and the endpoint
+ * identification algorithm of the SSLParameters is
+ * non-empty, to prevent man-in-the-middle attacks, the address that
+ * the engine connected to should be checked against
+ * the peer's identity presented in the end-entity X509 certificate,
+ * as specified in the endpoint identification algorithm.
+ *
+ * If the
- *
+ *
* This class supports both the Simple validation algorithm from previous
* JSSE versions and PKIX validation. Currently, it is not possible for the
* application to specify PKIX parameters other than trust anchors. This will
@@ -50,19 +51,10 @@ import sun.security.util.HostnameChecker;
* classes.
*
* @author Andreas Sterbenz
- * @author Xuelei Fan
*/
final class X509TrustManagerImpl extends X509ExtendedTrustManager
implements X509TrustManager {
- /**
- * Flag indicating whether to enable revocation check for the PKIX trust
- * manager. Typically, this will only work if the PKIX implementation
- * supports CRL distribution points as we do not manually setup CertStores.
- */
- private final static boolean checkRevocation =
- Debug.getBooleanProperty("com.sun.net.ssl.checkRevocation", false);
-
private final String validatorType;
/**
@@ -103,188 +95,259 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
showTrustedCerts();
}
- private void showTrustedCerts() {
- if (debug != null && Debug.isOn("trustmanager")) {
- for (X509Certificate cert : trustedCerts) {
- System.out.println("adding as trusted cert:");
- System.out.println(" Subject: "
- + cert.getSubjectX500Principal());
- System.out.println(" Issuer: "
- + cert.getIssuerX500Principal());
- System.out.println(" Algorithm: "
- + cert.getPublicKey().getAlgorithm()
- + "; Serial number: 0x"
- + cert.getSerialNumber().toString(16));
- System.out.println(" Valid from "
- + cert.getNotBefore() + " until "
- + cert.getNotAfter());
- System.out.println();
- }
- }
+ @Override
+ public void checkClientTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ checkTrusted(chain, authType, (Socket)null, true);
}
- private Validator getValidator(String variant) {
- Validator v;
- if (pkixParams == null) {
- v = Validator.getInstance(validatorType, variant, trustedCerts);
- // if the PKIX validator is created from a KeyStore,
- // disable revocation checking
- if (v instanceof PKIXValidator) {
- PKIXValidator pkixValidator = (PKIXValidator)v;
- pkixValidator.getParameters().setRevocationEnabled
- (checkRevocation);
- }
- } else {
- v = Validator.getInstance(validatorType, variant, pkixParams);
- }
- return v;
+ @Override
+ public void checkServerTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ checkTrusted(chain, authType, (Socket)null, false);
}
- private static X509Certificate[] validate(Validator v,
- X509Certificate[] chain, String authType) throws CertificateException {
- Object o = JsseJce.beginFipsProvider();
- try {
- return v.validate(chain, null, authType);
- } finally {
- JsseJce.endFipsProvider(o);
- }
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ X509Certificate[] certsArray = new X509Certificate[trustedCerts.size()];
+ trustedCerts.toArray(certsArray);
+ return certsArray;
}
- /**
- * Returns true if the client certificate can be trusted.
- *
- * @param chain certificates which establish an identity for the client.
- * Chains of arbitrary length are supported, and certificates
- * marked internally as trusted will short-circuit signature checks.
- * @throws IllegalArgumentException if null or zero-length chain
- * is passed in for the chain parameter or if null or zero-length
- * string is passed in for the authType parameter.
- * @throws CertificateException if the certificate chain is not trusted
- * by this TrustManager.
- */
- public void checkClientTrusted(X509Certificate chain[], String authType)
- throws CertificateException {
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ checkTrusted(chain, authType, socket, true);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ checkTrusted(chain, authType, socket, false);
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ checkTrusted(chain, authType, engine, true);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ checkTrusted(chain, authType, engine, false);
+ }
+
+ private Validator checkTrustedInit(X509Certificate[] chain,
+ String authType, boolean isClient) {
if (chain == null || chain.length == 0) {
throw new IllegalArgumentException(
"null or zero-length certificate chain");
}
+
if (authType == null || authType.length() == 0) {
throw new IllegalArgumentException(
"null or zero-length authentication type");
}
- // assume double checked locking with a volatile flag works
- // (guaranteed under the new Tiger memory model)
- Validator v = clientValidator;
- if (v == null) {
- synchronized (this) {
- v = clientValidator;
- if (v == null) {
- v = getValidator(Validator.VAR_TLS_CLIENT);
- clientValidator = v;
+ Validator v = null;
+ if (isClient) {
+ v = clientValidator;
+ if (v == null) {
+ synchronized (this) {
+ v = clientValidator;
+ if (v == null) {
+ v = getValidator(Validator.VAR_TLS_CLIENT);
+ clientValidator = v;
+ }
+ }
+ }
+ } else {
+ // assume double checked locking with a volatile flag works
+ // (guaranteed under the new Tiger memory model)
+ v = serverValidator;
+ if (v == null) {
+ synchronized (this) {
+ v = serverValidator;
+ if (v == null) {
+ v = getValidator(Validator.VAR_TLS_SERVER);
+ serverValidator = v;
+ }
+ }
+ }
+ }
+
+ return v;
+ }
+
+
+ private void checkTrusted(X509Certificate[] chain, String authType,
+ Socket socket, boolean isClient) throws CertificateException {
+ Validator v = checkTrustedInit(chain, authType, isClient);
+
+ AlgorithmConstraints constraints = null;
+ if ((socket != null) && socket.isConnected() &&
+ (socket instanceof SSLSocket)) {
+
+ SSLSocket sslSocket = (SSLSocket)socket;
+ SSLSession session = sslSocket.getHandshakeSession();
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ // check endpoint identity
+ String identityAlg = sslSocket.getSSLParameters().
+ getEndpointIdentificationAlgorithm();
+ if (identityAlg != null && identityAlg.length() != 0) {
+ String hostname = session.getPeerHost();
+ checkIdentity(hostname, chain[0], identityAlg);
+ }
+
+ // create the algorithm constraints
+ ProtocolVersion protocolVersion =
+ ProtocolVersion.valueOf(session.getProtocol());
+ if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+ if (session instanceof ExtendedSSLSession) {
+ ExtendedSSLSession extSession =
+ (ExtendedSSLSession)session;
+ String[] localSupportedSignAlgs =
+ extSession.getLocalSupportedSignatureAlgorithms();
+
+ constraints = new SSLAlgorithmConstraints(
+ sslSocket, localSupportedSignAlgs, false);
+ } else {
+ constraints =
+ new SSLAlgorithmConstraints(sslSocket, false);
}
+ } else {
+ constraints = new SSLAlgorithmConstraints(sslSocket, false);
}
}
- X509Certificate[] trustedChain = validate(v, chain, null);
+
+ X509Certificate[] trustedChain = null;
+ if (isClient) {
+ trustedChain = validate(v, chain, constraints, null);
+ } else {
+ trustedChain = validate(v, chain, constraints, authType);
+ }
if (debug != null && Debug.isOn("trustmanager")) {
System.out.println("Found trusted certificate:");
System.out.println(trustedChain[trustedChain.length - 1]);
}
}
- /**
- * Returns true if the server certifcate can be trusted.
- *
- * @param chain certificates which establish an identity for the server.
- * Chains of arbitrary length are supported, and certificates
- * marked internally as trusted will short-circuit signature checks.
- * @throws IllegalArgumentException if null or zero-length chain
- * is passed in for the chain parameter or if null or zero-length
- * string is passed in for the authType parameter.
- * @throws CertificateException if the certificate chain is not trusted
- * by this TrustManager.
- */
- public void checkServerTrusted(X509Certificate chain[], String authType)
- throws CertificateException {
- if (chain == null || chain.length == 0) {
- throw new IllegalArgumentException(
- "null or zero-length certificate chain");
- }
- if (authType == null || authType.length() == 0) {
- throw new IllegalArgumentException(
- "null or zero-length authentication type");
- }
+ private void checkTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine, boolean isClient) throws CertificateException {
+ Validator v = checkTrustedInit(chain, authType, isClient);
+
+ AlgorithmConstraints constraints = null;
+ if (engine != null) {
+ SSLSession session = engine.getHandshakeSession();
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ // check endpoint identity
+ String identityAlg = engine.getSSLParameters().
+ getEndpointIdentificationAlgorithm();
+ if (identityAlg != null && identityAlg.length() != 0) {
+ String hostname = session.getPeerHost();
+ checkIdentity(hostname, chain[0], identityAlg);
+ }
+
+ // create the algorithm constraints
+ ProtocolVersion protocolVersion =
+ ProtocolVersion.valueOf(session.getProtocol());
+ if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+ if (session instanceof ExtendedSSLSession) {
+ ExtendedSSLSession extSession =
+ (ExtendedSSLSession)session;
+ String[] localSupportedSignAlgs =
+ extSession.getLocalSupportedSignatureAlgorithms();
- // assume double checked locking with a volatile flag works
- // (guaranteed under the new Tiger memory model)
- Validator v = serverValidator;
- if (v == null) {
- synchronized (this) {
- v = serverValidator;
- if (v == null) {
- v = getValidator(Validator.VAR_TLS_SERVER);
- serverValidator = v;
+ constraints = new SSLAlgorithmConstraints(
+ engine, localSupportedSignAlgs, false);
+ } else {
+ constraints =
+ new SSLAlgorithmConstraints(engine, false);
}
+ } else {
+ constraints = new SSLAlgorithmConstraints(engine, false);
}
}
- X509Certificate[] trustedChain = validate(v, chain, authType);
+
+ X509Certificate[] trustedChain = null;
+ if (isClient) {
+ trustedChain = validate(v, chain, constraints, null);
+ } else {
+ trustedChain = validate(v, chain, constraints, authType);
+ }
if (debug != null && Debug.isOn("trustmanager")) {
System.out.println("Found trusted certificate:");
System.out.println(trustedChain[trustedChain.length - 1]);
}
}
- /**
- * Returns a list of CAs accepted to authenticate entities for the
- * specified purpose.
- *
- * @param purpose activity for which CAs should be trusted
- * @return list of CAs accepted for authenticating such tasks
- */
- public X509Certificate[] getAcceptedIssuers() {
- X509Certificate[] certsArray = new X509Certificate[trustedCerts.size()];
- trustedCerts.toArray(certsArray);
- return certsArray;
+ private void showTrustedCerts() {
+ if (debug != null && Debug.isOn("trustmanager")) {
+ for (X509Certificate cert : trustedCerts) {
+ System.out.println("adding as trusted cert:");
+ System.out.println(" Subject: "
+ + cert.getSubjectX500Principal());
+ System.out.println(" Issuer: "
+ + cert.getIssuerX500Principal());
+ System.out.println(" Algorithm: "
+ + cert.getPublicKey().getAlgorithm()
+ + "; Serial number: 0x"
+ + cert.getSerialNumber().toString(16));
+ System.out.println(" Valid from "
+ + cert.getNotBefore() + " until "
+ + cert.getNotAfter());
+ System.out.println();
+ }
+ }
}
- /**
- * Given the partial or complete certificate chain provided by the
- * peer, check its identity and build a certificate path to a trusted
- * root, return if it can be validated and is trusted for client SSL
- * authentication based on the authentication type.
- */
- public void checkClientTrusted(X509Certificate[] chain, String authType,
- String hostname, String algorithm) throws CertificateException {
- checkClientTrusted(chain, authType);
- checkIdentity(hostname, chain[0], algorithm);
+ private Validator getValidator(String variant) {
+ Validator v;
+ if (pkixParams == null) {
+ v = Validator.getInstance(validatorType, variant, trustedCerts);
+ } else {
+ v = Validator.getInstance(validatorType, variant, pkixParams);
+ }
+ return v;
}
- /**
- * Given the partial or complete certificate chain provided by the
- * peer, check its identity and build a certificate path to a trusted
- * root, return if it can be validated and is trusted for server SSL
- * authentication based on the authentication type.
- */
- public void checkServerTrusted(X509Certificate[] chain, String authType,
- String hostname, String algorithm) throws CertificateException {
- checkServerTrusted(chain, authType);
- checkIdentity(hostname, chain[0], algorithm);
+ private static X509Certificate[] validate(Validator v,
+ X509Certificate[] chain, AlgorithmConstraints constraints,
+ String authType) throws CertificateException {
+ Object o = JsseJce.beginFipsProvider();
+ try {
+ return v.validate(chain, null, constraints, authType);
+ } finally {
+ JsseJce.endFipsProvider(o);
+ }
}
- // Identify the peer by its certificate and hostname.
- private void checkIdentity(String hostname, X509Certificate cert,
- String algorithm) throws CertificateException {
+ /*
+ * Identify the peer by its certificate and hostname.
+ *
+ * Lifted from sun.net.www.protocol.https.HttpsClient.
+ */
+ static void checkIdentity(String hostname, X509Certificate cert,
+ String algorithm) throws CertificateException {
if (algorithm != null && algorithm.length() != 0) {
// if IPv6 strip off the "[]"
- if (hostname != null && hostname.startsWith("[") &&
- hostname.endsWith("]")) {
- hostname = hostname.substring(1, hostname.length()-1);
+ if ((hostname != null) && hostname.startsWith("[") &&
+ hostname.endsWith("]")) {
+ hostname = hostname.substring(1, hostname.length() - 1);
}
if (algorithm.equalsIgnoreCase("HTTPS")) {
HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(
hostname, cert);
- } else if (algorithm.equalsIgnoreCase("LDAP")) {
+ } else if (algorithm.equalsIgnoreCase("LDAP") ||
+ algorithm.equalsIgnoreCase("LDAPS")) {
HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP).match(
hostname, cert);
} else {
diff --git a/test/com/sun/crypto/provider/TLS/TestKeyMaterial.java b/test/com/sun/crypto/provider/TLS/TestKeyMaterial.java
index e15a1f693f9c3879d08f17bcc4f497b64ecfed6a..8874070f484db7892943d8053fa9df2b982dff29 100644
--- a/test/com/sun/crypto/provider/TLS/TestKeyMaterial.java
+++ b/test/com/sun/crypto/provider/TLS/TestKeyMaterial.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -117,16 +117,23 @@ public class TestKeyMaterial extends Utils {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsKeyMaterial", provider);
- SecretKey masterKey = new SecretKeySpec(master, "TlsMasterSecret");
- TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec
- (masterKey, major, minor, clientRandom, serverRandom, cipherAlgorithm,
- keyLength, expandedKeyLength, ivLength, macLength);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsKeyMaterial", provider);
+ SecretKey masterKey =
+ new SecretKeySpec(master, "TlsMasterSecret");
+ TlsKeyMaterialParameterSpec spec =
+ new TlsKeyMaterialParameterSpec(masterKey, major, minor,
+ clientRandom, serverRandom, cipherAlgorithm,
+ keyLength, expandedKeyLength, ivLength, macLength,
+ null, -1, -1);
kg.init(spec);
- TlsKeyMaterialSpec result = (TlsKeyMaterialSpec)kg.generateKey();
- match(lineNumber, clientCipherBytes, result.getClientCipherKey());
- match(lineNumber, serverCipherBytes, result.getServerCipherKey());
+ TlsKeyMaterialSpec result =
+ (TlsKeyMaterialSpec)kg.generateKey();
+ match(lineNumber, clientCipherBytes,
+ result.getClientCipherKey());
+ match(lineNumber, serverCipherBytes,
+ result.getServerCipherKey());
match(lineNumber, clientIv, result.getClientIv());
match(lineNumber, serverIv, result.getServerIv());
match(lineNumber, clientMacBytes, result.getClientMacKey());
@@ -144,7 +151,8 @@ public class TestKeyMaterial extends Utils {
System.out.println("OK: " + n + " tests");
}
- private static void match(int lineNumber, byte[] out, Object res) throws Exception {
+ private static void match(int lineNumber, byte[] out, Object res)
+ throws Exception {
if ((out == null) || (res == null)) {
if (out != res) {
throw new Exception("null mismatch line " + lineNumber);
diff --git a/test/com/sun/crypto/provider/TLS/TestMasterSecret.java b/test/com/sun/crypto/provider/TLS/TestMasterSecret.java
index bc8b0ae0e99595d9518086b77bfc524c32084739..3025ef5f2d10b071a1f158156502cb6d379a6516 100644
--- a/test/com/sun/crypto/provider/TLS/TestMasterSecret.java
+++ b/test/com/sun/crypto/provider/TLS/TestMasterSecret.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -97,17 +97,22 @@ public class TestMasterSecret extends Utils {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsMasterSecret", provider);
- SecretKey premasterKey = new SecretKeySpec(premaster, algorithm);
- TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec
- (premasterKey, protoMajor, protoMinor, clientRandom, serverRandom);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsMasterSecret", provider);
+ SecretKey premasterKey =
+ new SecretKeySpec(premaster, algorithm);
+ TlsMasterSecretParameterSpec spec =
+ new TlsMasterSecretParameterSpec(premasterKey, protoMajor,
+ protoMinor, clientRandom, serverRandom,
+ null, -1, -1);
kg.init(spec);
TlsMasterSecret key = (TlsMasterSecret)kg.generateKey();
byte[] enc = key.getEncoded();
if (Arrays.equals(master, enc) == false) {
throw new Exception("mismatch line: " + lineNumber);
}
- if ((preMajor != key.getMajorVersion()) || (preMinor != key.getMinorVersion())) {
+ if ((preMajor != key.getMajorVersion()) ||
+ (preMinor != key.getMinorVersion())) {
throw new Exception("version mismatch line: " + lineNumber);
}
} else {
diff --git a/test/com/sun/crypto/provider/TLS/TestPRF.java b/test/com/sun/crypto/provider/TLS/TestPRF.java
index 0b2bebc0ec09e08e854b980431e729ab284d88b8..9c6f9ecf80af0583b6ae71836197a0fa85bef029 100644
--- a/test/com/sun/crypto/provider/TLS/TestPRF.java
+++ b/test/com/sun/crypto/provider/TLS/TestPRF.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -85,14 +85,17 @@ public class TestPRF extends Utils {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsPrf", provider);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsPrf", provider);
SecretKey inKey;
if (secret == null) {
inKey = null;
} else {
inKey = new SecretKeySpec(secret, "Generic");
}
- TlsPrfParameterSpec spec = new TlsPrfParameterSpec(inKey, label, seed, length);
+ TlsPrfParameterSpec spec =
+ new TlsPrfParameterSpec(inKey, label, seed, length,
+ null, -1, -1);
kg.init(spec);
SecretKey key = kg.generateKey();
byte[] enc = key.getEncoded();
diff --git a/test/com/sun/crypto/provider/TLS/TestPRF12.java b/test/com/sun/crypto/provider/TLS/TestPRF12.java
new file mode 100644
index 0000000000000000000000000000000000000000..d9384bffa78959eaf414b2c0911468dad2747228
--- /dev/null
+++ b/test/com/sun/crypto/provider/TLS/TestPRF12.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 6313661
+ * @summary Basic known-answer-test for TlsPrf 12
+ *
+ * Vector obtained from the IETF TLS working group mailing list:
+ *
+ * http://www.ietf.org/mail-archive/web/tls/current/msg03416.html
+ */
+
+import java.io.*;
+import java.util.*;
+
+import java.security.Security;
+import java.security.Provider;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+
+import javax.crypto.spec.*;
+
+import sun.security.internal.spec.*;
+
+public class TestPRF12 extends Utils {
+
+ private static int PREFIX_LENGTH = "prf-output: ".length();
+
+ public static void main(String[] args) throws Exception {
+ Provider provider = Security.getProvider("SunJCE");
+
+ InputStream in = new FileInputStream(new File(BASE, "prf12data.txt"));
+ BufferedReader reader = new BufferedReader(new InputStreamReader(in));
+
+ int n = 0;
+ int lineNumber = 0;
+
+ byte[] secret = null;
+ String label = null;
+ byte[] seed = null;
+ int length = 0;
+ String prfAlg = null;
+ int prfHashLength = 0;
+ int prfBlockSize = 0;
+ byte[] output = null;
+
+ while (true) {
+ String line = reader.readLine();
+ lineNumber++;
+ if (line == null) {
+ break;
+ }
+ if (line.startsWith("prf-") == false) {
+ continue;
+ }
+
+ String data = line.substring(PREFIX_LENGTH);
+ if (line.startsWith("prf-secret:")) {
+ secret = parse(data);
+ } else if (line.startsWith("prf-label:")) {
+ label = data;
+ } else if (line.startsWith("prf-seed:")) {
+ seed = parse(data);
+ } else if (line.startsWith("prf-length:")) {
+ length = Integer.parseInt(data);
+ } else if (line.startsWith("prf-alg:")) {
+ prfAlg = data;
+ switch (prfAlg) {
+ case "SHA-224":
+ prfHashLength = 28;
+ prfBlockSize = 64;
+ break;
+ case "SHA-256":
+ prfHashLength = 32;
+ prfBlockSize = 64;
+ break;
+ case "SHA-384":
+ prfHashLength = 48;
+ prfBlockSize = 128;
+ break;
+ case "SHA-512":
+ prfHashLength = 64;
+ prfBlockSize = 128;
+ break;
+ default:
+ throw new Exception("Unknown Alg in the data.");
+ }
+ } else if (line.startsWith("prf-output:")) {
+ output = parse(data);
+
+ System.out.print(".");
+ n++;
+
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTls12Prf", provider);
+ SecretKey inKey;
+ if (secret == null) {
+ inKey = null;
+ } else {
+ inKey = new SecretKeySpec(secret, "Generic");
+ }
+ TlsPrfParameterSpec spec =
+ new TlsPrfParameterSpec(inKey, label, seed, length,
+ prfAlg, prfHashLength, prfBlockSize);
+ kg.init(spec);
+ SecretKey key = kg.generateKey();
+ byte[] enc = key.getEncoded();
+ if (Arrays.equals(output, enc) == false) {
+ throw new Exception("mismatch line: " + lineNumber);
+ }
+ } else {
+ throw new Exception("Unknown line: " + line);
+ }
+ }
+ if (n == 0) {
+ throw new Exception("no tests");
+ }
+ in.close();
+ System.out.println();
+ System.out.println("OK: " + n + " tests");
+ }
+
+}
diff --git a/test/com/sun/crypto/provider/TLS/TestPremaster.java b/test/com/sun/crypto/provider/TLS/TestPremaster.java
index ecdac1552108f2d79e4b09740f5030cf614dcb82..6ea808c8781dda62f1506ed718300a5a0ec36cbb 100644
--- a/test/com/sun/crypto/provider/TLS/TestPremaster.java
+++ b/test/com/sun/crypto/provider/TLS/TestPremaster.java
@@ -60,7 +60,8 @@ public class TestPremaster {
System.out.println("Done.");
}
- private static void test(KeyGenerator kg, int major, int minor) throws Exception {
+ private static void test(KeyGenerator kg, int major, int minor)
+ throws Exception {
kg.init(new TlsRsaPremasterSecretParameterSpec(major, minor));
SecretKey key = kg.generateKey();
@@ -69,7 +70,8 @@ public class TestPremaster {
throw new Exception("length: " + encoded.length);
}
if ((encoded[0] != major) || (encoded[1] != minor)) {
- throw new Exception("version mismatch: " + encoded[0] + "." + encoded[1]);
+ throw new Exception("version mismatch: " + encoded[0] +
+ "." + encoded[1]);
}
System.out.println("OK: " + major + "." + minor);
}
diff --git a/test/com/sun/crypto/provider/TLS/Utils.java b/test/com/sun/crypto/provider/TLS/Utils.java
index b588a657c2f4ff480db8618565d8eb18ebd00adb..96e51f5d4000540093c853c280d26070755953da 100644
--- a/test/com/sun/crypto/provider/TLS/Utils.java
+++ b/test/com/sun/crypto/provider/TLS/Utils.java
@@ -22,7 +22,6 @@
*/
import java.io.*;
-import java.util.*;
class Utils {
diff --git a/test/com/sun/crypto/provider/TLS/prf12data.txt b/test/com/sun/crypto/provider/TLS/prf12data.txt
new file mode 100644
index 0000000000000000000000000000000000000000..db2652c9bcb7890c32ee39346aa6407c1dd9ed09
--- /dev/null
+++ b/test/com/sun/crypto/provider/TLS/prf12data.txt
@@ -0,0 +1,19 @@
+prf-secret: 9b:be:43:6b:a9:40:f0:17:b1:76:52:84:9a:71:db:35
+prf-seed: a0:ba:9f:93:6c:da:31:18:27:a6:f7:96:ff:d5:19:8c
+prf-label: test label
+prf-length: 100
+prf-alg: SHA-256
+prf-output: e3:f2:29:ba:72:7b:e1:7b:8d:12:26:20:55:7c:d4:53:c2:aa:b2:1d:07:c3:d4:95:32:9b:52:d4:e6:1e:db:5a:6b:30:17:91:e9:0d:35:c9:c9:a4:6b:4e:14:ba:f9:af:0f:a0:22:f7:07:7d:ef:17:ab:fd:37:97:c0:56:4b:ab:4f:bc:91:66:6e:9d:ef:9b:97:fc:e3:4f:79:67:89:ba:a4:80:82:d1:22:ee:42:c5:a7:2e:5a:51:10:ff:f7:01:87:34:7b:66
+prf-secret: b8:0b:73:3d:6c:ee:fc:dc:71:56:6e:a4:8e:55:67:df
+prf-seed: cd:66:5c:f6:a8:44:7d:d6:ff:8b:27:55:5e:db:74:65
+prf-label: test label
+prf-length: 148
+prf-alg: SHA-384
+prf-output: 7b:0c:18:e9:ce:d4:10:ed:18:04:f2:cf:a3:4a:33:6a:1c:14:df:fb:49:00:bb:5f:d7:94:21:07:e8:1c:83:cd:e9:ca:0f:aa:60:be:9f:e3:4f:82:b1:23:3c:91:46:a0:e5:34:cb:40:0f:ed:27:00:88:4f:9d:c2:36:f8:0e:dd:8b:fa:96:11:44:c9:e8:d7:92:ec:a7:22:a7:b3:2f:c3:d4:16:d4:73:eb:c2:c5:fd:4a:bf:da:d0:5d:91:84:25:9b:5b:f8:cd:4d:90:fa:0d:31:e2:de:c4:79:e4:f1:a2:60:66:f2:ee:a9:a6:92:36:a3:e5:26:55:c9:e9:ae:e6:91:c8:f3:a2:68:54:30:8d:5e:aa:3b:e8:5e:09:90:70:3d:73:e5:6f
+prf-secret: b0:32:35:23:c1:85:35:99:58:4d:88:56:8b:bb:05:eb
+prf-seed: d4:64:0e:12:e4:bc:db:fb:43:7f:03:e6:ae:41:8e:e5
+prf-label: test label
+prf-length: 196
+prf-alg: SHA-512
+prf-output: 12:61:f5:88:c7:98:c5:c2:01:ff:03:6e:7a:9c:b5:ed:cd:7f:e3:f9:4c:66:9a:12:2a:46:38:d7:d5:08:b2:83:04:2d:f6:78:98:75:c7:14:7e:90:6d:86:8b:c7:5c:45:e2:0e:b4:0c:1c:f4:a1:71:3b:27:37:1f:68:43:25:92:f7:dc:8e:a8:ef:22:3e:12:ea:85:07:84:13:11:bf:68:65:3d:0c:fc:40:56:d8:11:f0:25:c4:5d:df:a6:e6:fe:c7:02:f0:54:b4:09:d6:f2:8d:d0:a3:23:3e:49:8d:a4:1a:3e:75:c5:63:0e:ed:be:22:fe:25:4e:33:a1:b0:e9:f6:b9:82:66:75:be:c7:d0:1a:84:56:58:dc:9c:39:75:45:40:1d:40:b9:f4:6c:7a:40:0e:e1:b8:f8:1c:a0:a6:0d:1a:39:7a:10:28:bf:f5:d2:ef:50:66:12:68:42:fb:8d:a4:19:76:32:bd:b5:4f:f6:63:3f:86:bb:c8:36:e6:40:d4:d8:98
+
diff --git a/test/sun/security/ec/TestEC.java b/test/sun/security/ec/TestEC.java
index 985e5cfd7a4ab18487ab82e431ac968ad0a767b9..fe075cd3f0a4c0d66108e3b6ea3e263ea7240eb2 100644
--- a/test/sun/security/ec/TestEC.java
+++ b/test/sun/security/ec/TestEC.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
* @test
* @bug 6840752
* @summary Provide out-of-the-box support for ECC algorithms
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
* @library ../pkcs11
* @library ../pkcs11/ec
* @library ../pkcs11/sslecc
diff --git a/test/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java b/test/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java
index 486a1b09be7825f22bf95e23ece2a25457e4d6f3..5362f59071e68fa1f1a600204c9e263aef758d72 100644
--- a/test/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java
+++ b/test/sun/security/pkcs11/fips/ClientJSSEServerJSSE.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
* @test
* @bug 6313675 6323647
* @summary Verify that all ciphersuites work in FIPS mode
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
* @author Andreas Sterbenz
* @library ..
*/
diff --git a/test/sun/security/pkcs11/tls/TestKeyMaterial.java b/test/sun/security/pkcs11/tls/TestKeyMaterial.java
index f8e79b33f17021011db7f2fc61f89e492e1514b0..e32f6c3c19ff19a30946396cb888f49fb54e3e8b 100644
--- a/test/sun/security/pkcs11/tls/TestKeyMaterial.java
+++ b/test/sun/security/pkcs11/tls/TestKeyMaterial.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -125,16 +125,23 @@ public class TestKeyMaterial extends PKCS11Test {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsKeyMaterial", provider);
- SecretKey masterKey = new SecretKeySpec(master, "TlsMasterSecret");
- TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec
- (masterKey, major, minor, clientRandom, serverRandom, cipherAlgorithm,
- keyLength, expandedKeyLength, ivLength, macLength);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsKeyMaterial", provider);
+ SecretKey masterKey =
+ new SecretKeySpec(master, "TlsMasterSecret");
+ TlsKeyMaterialParameterSpec spec =
+ new TlsKeyMaterialParameterSpec(masterKey, major, minor,
+ clientRandom, serverRandom, cipherAlgorithm,
+ keyLength, expandedKeyLength, ivLength, macLength,
+ null, -1, -1);
kg.init(spec);
- TlsKeyMaterialSpec result = (TlsKeyMaterialSpec)kg.generateKey();
- match(lineNumber, clientCipherBytes, result.getClientCipherKey(), cipherAlgorithm);
- match(lineNumber, serverCipherBytes, result.getServerCipherKey(), cipherAlgorithm);
+ TlsKeyMaterialSpec result =
+ (TlsKeyMaterialSpec)kg.generateKey();
+ match(lineNumber, clientCipherBytes,
+ result.getClientCipherKey(), cipherAlgorithm);
+ match(lineNumber, serverCipherBytes,
+ result.getServerCipherKey(), cipherAlgorithm);
match(lineNumber, clientIv, result.getClientIv(), "");
match(lineNumber, serverIv, result.getServerIv(), "");
match(lineNumber, clientMacBytes, result.getClientMacKey(), "");
@@ -158,7 +165,8 @@ public class TestKeyMaterial extends PKCS11Test {
}
}
- private static void match(int lineNumber, byte[] out, Object res, String cipherAlgorithm) throws Exception {
+ private static void match(int lineNumber, byte[] out, Object res,
+ String cipherAlgorithm) throws Exception {
if ((out == null) || (res == null)) {
if (out != res) {
throw new Exception("null mismatch line " + lineNumber);
@@ -169,7 +177,8 @@ public class TestKeyMaterial extends PKCS11Test {
byte[] b;
if (res instanceof SecretKey) {
b = ((SecretKey)res).getEncoded();
- if (cipherAlgorithm.equalsIgnoreCase("DES") || cipherAlgorithm.equalsIgnoreCase("DESede")) {
+ if (cipherAlgorithm.equalsIgnoreCase("DES") ||
+ cipherAlgorithm.equalsIgnoreCase("DESede")) {
// strip DES parity bits before comparision
stripParity(out);
stripParity(b);
diff --git a/test/sun/security/pkcs11/tls/TestMasterSecret.java b/test/sun/security/pkcs11/tls/TestMasterSecret.java
index b4c6369ac5c676dfb0677c7088f0f662b4d894a1..e1fa4d984ca6b54d783168435997b98543170952 100644
--- a/test/sun/security/pkcs11/tls/TestMasterSecret.java
+++ b/test/sun/security/pkcs11/tls/TestMasterSecret.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -104,17 +104,22 @@ public class TestMasterSecret extends PKCS11Test {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsMasterSecret", provider);
- SecretKey premasterKey = new SecretKeySpec(premaster, algorithm);
- TlsMasterSecretParameterSpec spec = new TlsMasterSecretParameterSpec
- (premasterKey, protoMajor, protoMinor, clientRandom, serverRandom);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsMasterSecret", provider);
+ SecretKey premasterKey =
+ new SecretKeySpec(premaster, algorithm);
+ TlsMasterSecretParameterSpec spec =
+ new TlsMasterSecretParameterSpec(premasterKey,
+ protoMajor, protoMinor, clientRandom, serverRandom,
+ null, -1, -1);
kg.init(spec);
TlsMasterSecret key = (TlsMasterSecret)kg.generateKey();
byte[] enc = key.getEncoded();
if (Arrays.equals(master, enc) == false) {
throw new Exception("mismatch line: " + lineNumber);
}
- if ((preMajor != key.getMajorVersion()) || (preMinor != key.getMinorVersion())) {
+ if ((preMajor != key.getMajorVersion()) ||
+ (preMinor != key.getMinorVersion())) {
throw new Exception("version mismatch line: " + lineNumber);
}
} else {
diff --git a/test/sun/security/pkcs11/tls/TestPRF.java b/test/sun/security/pkcs11/tls/TestPRF.java
index 7ed40c441c0a99d84fe402a7fdfe212c632ea692..60b125282776168f9b9f135769ed468e481e2a43 100644
--- a/test/sun/security/pkcs11/tls/TestPRF.java
+++ b/test/sun/security/pkcs11/tls/TestPRF.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -93,14 +93,17 @@ public class TestPRF extends PKCS11Test {
System.out.print(".");
n++;
- KeyGenerator kg = KeyGenerator.getInstance("SunTlsPrf", provider);
+ KeyGenerator kg =
+ KeyGenerator.getInstance("SunTlsPrf", provider);
SecretKey inKey;
if (secret == null) {
inKey = null;
} else {
inKey = new SecretKeySpec(secret, "Generic");
}
- TlsPrfParameterSpec spec = new TlsPrfParameterSpec(inKey, label, seed, length);
+ TlsPrfParameterSpec spec =
+ new TlsPrfParameterSpec(inKey, label, seed, length,
+ null, -1, -1);
SecretKey key;
try {
kg.init(spec);
@@ -109,7 +112,8 @@ public class TestPRF extends PKCS11Test {
if (secret == null) {
// This fails on Solaris, but since we never call this
// API for this case in JSSE, ignore the failure.
- // (SunJSSE uses the CKM_TLS_KEY_AND_MAC_DERIVE mechanism)
+ // (SunJSSE uses the CKM_TLS_KEY_AND_MAC_DERIVE
+ // mechanism)
System.out.print("X");
continue;
}
diff --git a/test/sun/security/pkcs11/tls/TestPremaster.java b/test/sun/security/pkcs11/tls/TestPremaster.java
index 4d0851a3318a1ed65bfa3017a571f4be9832829d..4fba2fd194543197ff87f1ba900bdb252a3b896e 100644
--- a/test/sun/security/pkcs11/tls/TestPremaster.java
+++ b/test/sun/security/pkcs11/tls/TestPremaster.java
@@ -44,7 +44,8 @@ public class TestPremaster extends PKCS11Test {
}
public void main(Provider provider) throws Exception {
- if (provider.getService("KeyGenerator", "SunTlsRsaPremasterSecret") == null) {
+ if (provider.getService(
+ "KeyGenerator", "SunTlsRsaPremasterSecret") == null) {
System.out.println("Not supported by provider, skipping");
return;
}
@@ -66,7 +67,8 @@ public class TestPremaster extends PKCS11Test {
System.out.println("Done.");
}
- private static void test(KeyGenerator kg, int major, int minor) throws Exception {
+ private static void test(KeyGenerator kg, int major, int minor)
+ throws Exception {
kg.init(new TlsRsaPremasterSecretParameterSpec(major, minor));
SecretKey key = kg.generateKey();
@@ -75,7 +77,8 @@ public class TestPremaster extends PKCS11Test {
throw new Exception("length: " + encoded.length);
}
if ((encoded[0] != major) || (encoded[1] != minor)) {
- throw new Exception("version mismatch: " + encoded[0] + "." + encoded[1]);
+ throw new Exception("version mismatch: " + encoded[0] +
+ "." + encoded[1]);
}
System.out.println("OK: " + major + "." + minor);
}
diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/ClientModeClientAuth.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/ClientModeClientAuth.java
index 792e73ddbd0e5f2ef46b7c730b9bd21c54acd97c..7b30631693374aacc29c9f599334f8f2b6ee5362 100644
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/ClientModeClientAuth.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLSocketImpl/ClientModeClientAuth.java
@@ -24,6 +24,7 @@
/*
* @test
* @bug 4390659
+ * @run main/othervm -Djavax.net.debug=all ClientModeClientAuth
* @summary setNeedClientAuth() isn't working after a handshaker is established
* @author Brad Wetmore
*/
diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ClientServer.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ClientServer.java
index 6884d5075c0adb8e28a3eb5ab80ddd4d2761e94b..1c2eb6b1ce3335cf22ec5982b5066598fb8f8373 100644
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ClientServer.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ClientServer.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
* @test
* @bug 4717766
* @summary 1.0.3 JsseX509TrustManager erroneously calls isClientTrusted()
+ * @ignore JSSE supports algorithm constraints with CR 6916074,
+ * need to update this test case in JDK 7 soon
* @author Brad Wetmore
*
* This problem didn't exist in JSSE 1.4, only JSSE 1.0.3. However,
diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
new file mode 100644
index 0000000000000000000000000000000000000000..d29ef31ffee497e0cf06a312b8c6760145782937
--- /dev/null
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java
@@ -0,0 +1,882 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+
+/*
+ * @test
+ * @bug 6916074
+ * @summary Add support for TLS 1.2
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.KeyFactory;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.math.BigInteger;
+
+
+/*
+ * Certificates and key used in the test.
+ *
+ * TLS server certificate:
+ * server private key:
+ * -----BEGIN RSA PRIVATE KEY-----
+ * Proc-Type: 4,ENCRYPTED
+ * DEK-Info: DES-EDE3-CBC,D9AE407F6D0E389A
+ *
+ * WPrA7TFol/cQCcp9oHnXWNpYlvRbbIcQj0m+RKT2Iuzfus+DHt3Zadf8nJpKfX2e
+ * h2rnhlzCN9M7djRDooZKDOPCsdBn51Au7HlZF3S3Opgo7D8XFM1a8t1Je4ke14oI
+ * nw6QKYsBblRziPnP2PZ0zvX24nOv7bbY8beynlJHGs00VWSFdoH2DS0aE1p6D+3n
+ * ptJuJ75dVfZFK4X7162APlNXevX8D6PEQpSiRw1rjjGGcnvQ4HdWk3BxDVDcCNJb
+ * Y1aGNRxsjTDvPi3R9Qx2M+W03QzEPx4SR3ZHVskeSJHaetM0TM/w/45Paq4GokXP
+ * ZeTnbEx1xmjkA7h+t4doLL4watx5F6yLsJzu8xB3lt/1EtmkYtLz1t7X4BetPAXz
+ * zS69X/VwhKfsOI3qXBWuL2oHPyhDmT1gcaUQwEPSV6ogHEEQEDXdiUS8heNK13KF
+ * TCQYFkETvV2BLxUhV1hypPzRQ6tUpJiAbD5KmoK2lD9slshG2QtvKQq0/bgkDY5J
+ * LhDHV2dtcZ3kDPkkZXpbcJQvoeH3d09C5sIsuTFo2zgNR6oETHUc5TzP6FY2YYRa
+ * QcK5HcmtsRRiXFm01ac+aMejJUIujjFt84SiKWT/73vC8AmY4tYcJBLjCg4XIxSH
+ * fdDFLL1YZENNO5ivlp8mdiHqcawx+36L7DrEZQ8RZt6cqST5t/+XTdM74s6k81GT
+ * pNsa82P2K2zmIUZ/DL2mKjW1vfRByw1NQFEBkN3vdyZxYfM/JyUzX4hbjXBEkh9Q
+ * QYrcwLKLjis2QzSvK04B3bvRzRb+4ocWiso8ZPAXAIxZFBWDpTMM2A==
+ * -----END RSA PRIVATE KEY-----
+ *
+ * -----BEGIN RSA PRIVATE KEY-----
+ * MIICXAIBAAKBgQClrFscN6LdmYktsnm4j9VIpecchBeNaZzGrG358h0fORna03Ie
+ * buxEzHCk3LoAMPagTz1UemFqzFfQCn+VKBg/mtmU8hvIJIh+/p0PPftXUwizIDPU
+ * PxdHFNHN6gjYDnVOr77M0uyvqXpJ38LZrLgkQJCmA1Yq0DAFQCxPq9l0iQIDAQAB
+ * AoGAbqcbg1E1mkR99uOJoNeQYKFOJyGiiXTMnXV1TseC4+PDfQBU7Dax35GcesBi
+ * CtapIpFKKS5D+ozY6b7ZT8ojxuQ/uHLPAvz0WDR3ds4iRF8tyu71Q1ZHcQsJa17y
+ * yO7UbkSSKn/Mp9Rb+/dKqftUGNXVFLqgHBOzN2s3We3bbbECQQDYBPKOg3hkaGHo
+ * OhpHKqtQ6EVkldihG/3i4WejRonelXN+HRh1KrB2HBx0M8D/qAzP1i3rNSlSHer4
+ * 59YRTJnHAkEAxFX/sVYSn07BHv9Zhn6XXct/Cj43z/tKNbzlNbcxqQwQerw3IH51
+ * 8UH2YOA+GD3lXbKp+MytoFLWv8zg4YT/LwJAfqan75Z1R6lLffRS49bIiq8jwE16
+ * rTrUJ+kv8jKxMqc9B3vXkxpsS1M/+4E8bqgAmvpgAb8xcsvHsBd9ErdukQJBAKs2
+ * j67W75BrPjBI34pQ1LEfp56IGWXOrq1kF8IbCjxv3+MYRT6Z6UJFkpRymNPNDjsC
+ * dgUYgITiGJHUGXuw3lMCQHEHqo9ZtXz92yFT+VhsNc29B8m/sqUJdtCcMd/jGpAF
+ * u6GHufjqIZBpQsk63wbwESAPZZ+kk1O1kS5GIRLX608=
+ * -----END RSA PRIVATE KEY-----
+ *
+ * Private-Key: (1024 bit)
+ * modulus:
+ * 00:a5:ac:5b:1c:37:a2:dd:99:89:2d:b2:79:b8:8f:
+ * d5:48:a5:e7:1c:84:17:8d:69:9c:c6:ac:6d:f9:f2:
+ * 1d:1f:39:19:da:d3:72:1e:6e:ec:44:cc:70:a4:dc:
+ * ba:00:30:f6:a0:4f:3d:54:7a:61:6a:cc:57:d0:0a:
+ * 7f:95:28:18:3f:9a:d9:94:f2:1b:c8:24:88:7e:fe:
+ * 9d:0f:3d:fb:57:53:08:b3:20:33:d4:3f:17:47:14:
+ * d1:cd:ea:08:d8:0e:75:4e:af:be:cc:d2:ec:af:a9:
+ * 7a:49:df:c2:d9:ac:b8:24:40:90:a6:03:56:2a:d0:
+ * 30:05:40:2c:4f:ab:d9:74:89
+ * publicExponent: 65537 (0x10001)
+ * privateExponent:
+ * 6e:a7:1b:83:51:35:9a:44:7d:f6:e3:89:a0:d7:90:
+ * 60:a1:4e:27:21:a2:89:74:cc:9d:75:75:4e:c7:82:
+ * e3:e3:c3:7d:00:54:ec:36:b1:df:91:9c:7a:c0:62:
+ * 0a:d6:a9:22:91:4a:29:2e:43:fa:8c:d8:e9:be:d9:
+ * 4f:ca:23:c6:e4:3f:b8:72:cf:02:fc:f4:58:34:77:
+ * 76:ce:22:44:5f:2d:ca:ee:f5:43:56:47:71:0b:09:
+ * 6b:5e:f2:c8:ee:d4:6e:44:92:2a:7f:cc:a7:d4:5b:
+ * fb:f7:4a:a9:fb:54:18:d5:d5:14:ba:a0:1c:13:b3:
+ * 37:6b:37:59:ed:db:6d:b1
+ * prime1:
+ * 00:d8:04:f2:8e:83:78:64:68:61:e8:3a:1a:47:2a:
+ * ab:50:e8:45:64:95:d8:a1:1b:fd:e2:e1:67:a3:46:
+ * 89:de:95:73:7e:1d:18:75:2a:b0:76:1c:1c:74:33:
+ * c0:ff:a8:0c:cf:d6:2d:eb:35:29:52:1d:ea:f8:e7:
+ * d6:11:4c:99:c7
+ * prime2:
+ * 00:c4:55:ff:b1:56:12:9f:4e:c1:1e:ff:59:86:7e:
+ * 97:5d:cb:7f:0a:3e:37:cf:fb:4a:35:bc:e5:35:b7:
+ * 31:a9:0c:10:7a:bc:37:20:7e:75:f1:41:f6:60:e0:
+ * 3e:18:3d:e5:5d:b2:a9:f8:cc:ad:a0:52:d6:bf:cc:
+ * e0:e1:84:ff:2f
+ * exponent1:
+ * 7e:a6:a7:ef:96:75:47:a9:4b:7d:f4:52:e3:d6:c8:
+ * 8a:af:23:c0:4d:7a:ad:3a:d4:27:e9:2f:f2:32:b1:
+ * 32:a7:3d:07:7b:d7:93:1a:6c:4b:53:3f:fb:81:3c:
+ * 6e:a8:00:9a:fa:60:01:bf:31:72:cb:c7:b0:17:7d:
+ * 12:b7:6e:91
+ * exponent2:
+ * 00:ab:36:8f:ae:d6:ef:90:6b:3e:30:48:df:8a:50:
+ * d4:b1:1f:a7:9e:88:19:65:ce:ae:ad:64:17:c2:1b:
+ * 0a:3c:6f:df:e3:18:45:3e:99:e9:42:45:92:94:72:
+ * 98:d3:cd:0e:3b:02:76:05:18:80:84:e2:18:91:d4:
+ * 19:7b:b0:de:53
+ * coefficient:
+ * 71:07:aa:8f:59:b5:7c:fd:db:21:53:f9:58:6c:35:
+ * cd:bd:07:c9:bf:b2:a5:09:76:d0:9c:31:df:e3:1a:
+ * 90:05:bb:a1:87:b9:f8:ea:21:90:69:42:c9:3a:df:
+ * 06:f0:11:20:0f:65:9f:a4:93:53:b5:91:2e:46:21:
+ * 12:d7:eb:4f
+ *
+ *
+ * server certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 8 (0x8)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 03:43:04 2008 GMT
+ * Not After : Aug 25 03:43:04 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Server, CN=localhost
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:a5:ac:5b:1c:37:a2:dd:99:89:2d:b2:79:b8:8f:
+ * d5:48:a5:e7:1c:84:17:8d:69:9c:c6:ac:6d:f9:f2:
+ * 1d:1f:39:19:da:d3:72:1e:6e:ec:44:cc:70:a4:dc:
+ * ba:00:30:f6:a0:4f:3d:54:7a:61:6a:cc:57:d0:0a:
+ * 7f:95:28:18:3f:9a:d9:94:f2:1b:c8:24:88:7e:fe:
+ * 9d:0f:3d:fb:57:53:08:b3:20:33:d4:3f:17:47:14:
+ * d1:cd:ea:08:d8:0e:75:4e:af:be:cc:d2:ec:af:a9:
+ * 7a:49:df:c2:d9:ac:b8:24:40:90:a6:03:56:2a:d0:
+ * 30:05:40:2c:4f:ab:d9:74:89
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Basic Constraints:
+ * CA:FALSE
+ * X509v3 Key Usage:
+ * Digital Signature, Non Repudiation, Key Encipherment
+ * X509v3 Subject Key Identifier:
+ * ED:6E:DB:F4:B5:56:C8:FB:1A:06:61:3F:0F:08:BB:A6:04:D8:16:54
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ *
+ * X509v3 Subject Alternative Name: critical
+ * DNS:localhost
+ * Signature Algorithm: md5WithRSAEncryption0
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICpDCCAg2gAwIBAgIBCDANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMDRaFw0yODA4MjUwMzQzMDRaMHIxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtU2VydmVyMRIwEAYD
+ * VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWsWxw3
+ * ot2ZiS2yebiP1Uil5xyEF41pnMasbfnyHR85GdrTch5u7ETMcKTcugAw9qBPPVR6
+ * YWrMV9AKf5UoGD+a2ZTyG8gkiH7+nQ89+1dTCLMgM9Q/F0cU0c3qCNgOdU6vvszS
+ * 7K+peknfwtmsuCRAkKYDVirQMAVALE+r2XSJAgMBAAGjczBxMAkGA1UdEwQCMAAw
+ * CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTtbtv0tVbI+xoGYT8PCLumBNgWVDAfBgNV
+ * HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh
+ * bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAoqVTciHtcvsUj+YaTct8tUh3aTCsKsac
+ * PHhfQ+ObjiXSgxsKYTX7ym/wk/wvlbUcbqLKxsu7qrcJitH+H9heV1hEHEu65Uoi
+ * nRugFruyOrwvAylV8Cm2af7ddilmYJ+sdJA6N2M3xJRxR0G2LFHEXDNEjYReyexn
+ * JqCpf5uZGOo=
+ * -----END CERTIFICATE-----
+ *
+ *
+ * TLS client certificate:
+ * client private key:
+ * ----BEGIN RSA PRIVATE KEY-----
+ * Proc-Type: 4,ENCRYPTED
+ * DEK-Info: DES-EDE3-CBC,FA2A435CD35A9390
+ *
+ * Z+Y2uaETbsUWIyJUyVu1UV2G4rgFYJyACZT6Tp1KjRtxflSh2kXkJ9MpuXMXA0V4
+ * Yy3fDzPqCL9NJmQAYRlAx/W/+j4F5EyMWDIx8fUxzONRZyoiwF7jLm+KscAfv6Pf
+ * q7ItWOdj3z7IYrwlB8YIGd3F2cDKT3S+lYRk7rKb/qT7itbuHnY4Ardh3yl+MZak
+ * jBp+ELUlRsUqSr1V0LoM+0rCCykarpyfhpxEcqsrl0v9Cyi5uhU50/oKv5zql3SH
+ * l2ImgDjp3batAs8+Bd4NF2aqi0a7Hy44JUHxRm4caZryU/i/D9N1MbuM6882HLat
+ * 5N0G+NaIUfywa8mjwq2D5aiit18HqKA6XeRRYeJ5Dvu9DCO4GeFSwcUFIBMI0L46
+ * 7s114+oDodg57pMgITi+04vmUxvqlN9aiyd7f5Fgd7PeHGeOdbMz1NaJLJaPI9++
+ * NakK8eK9iwT/Gdq0Uap5/CHW7vCT5PO+h3HY0STH0lWStXhdWnFO04zTdywsbSp+
+ * DLpHeFT66shfeUlxR0PsCbG9vPRt/QmGLeYQZITppWo/ylSq4j+pRIuXvuWHdBRN
+ * rTZ8QF4Y7AxQUXVz1j1++s6ZMHTzaK2i9HrhmDs1MbJl+QwWre3Xpv3LvTVz3k5U
+ * wX8kuY1m3STt71QCaRWENq5sRaMImLxZbxc/ivFl9RAzUqo4NCxLod/QgA4iLqtO
+ * ztnlpzwlC/F8HbQ1oqYWwnZAPhzU/cULtstl+Yrws2c2atO323LbPXZqbASySgig
+ * sNpFXQMObdfP6LN23bY+1SvtK7V4NUTNhpdIc6INQAQ=
+ * -----END RSA PRIVATE KEY-----
+ *
+ * -----BEGIN RSA PRIVATE KEY-----
+ * MIICWwIBAAKBgQC78EA2rCZUTvSjWgAvaSFvuXo6k+yi9uGOx2PYLxIwmS6w8o/4
+ * Jy0keCiE9wG/jUR53TvSVfPOPLJbIX3v/TNKsaP/xsibuQ98QTWX+ds6BWAFFa9Z
+ * F5KjEK0WHOQHU6+odqJWKpLT+SjgeM9eH0irXBnd4WdDunWN9YKsQ5JEGwIDAQAB
+ * AoGAEbdqNj0wN85hnWyEi/ObJU8UyKTdL9eaF72QGfcF/fLSxfd3vurihIeXOkGW
+ * tpn4lIxYcVGM9CognhqgJpl11jFTQzn1KqZ+NEJRKkCHA4hDabKJbSC9fXHvRwrf
+ * BsFpZqgiNxp3HseUTiwnaUVeyPgMt/jAj5nB5Sib+UyUxrECQQDnNQBiF2aifEg6
+ * zbJOOC7he5CHAdkFxSxWVFVHL6EfXfqdLVkUohMbgZv+XxyIeU2biOExSg49Kds3
+ * FOKgTau1AkEA0Bd1haj6QuCo8I0AXm2WO+MMTZMTvtHD/bGjKNM+fT4I8rKYnQRX
+ * 1acHdqS9Xx2rNJqZgkMmpESIdPR2fc4yjwJALFeM6EMmqvj8/VIf5UJ/Mz14fXwM
+ * PEARfckUxd9LnnFutCBTWlKvKXJVEZb6KO5ixPaegc57Jp3Vbh3yTN44lQJADD/1
+ * SSMDaIB1MYP7a5Oj7m6VQNPRq8AJe5vDcRnOae0G9dKRrVyeFxO4GsHj6/+BHp2j
+ * P8nYMn9eURQ7DXjf/QJAAQzMlWnKGSO8pyTDtnQx3hRMoUkOEhmNq4bQhLkYqtnY
+ * FcqpUQ2qMjW+NiNWk5HnTrMS3L9EdJobMUzaNZLy4w==
+ * -----END RSA PRIVATE KEY-----
+ *
+ * Private-Key: (1024 bit)
+ * modulus:
+ * 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69:
+ * 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f:
+ * 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7:
+ * 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21:
+ * 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41:
+ * 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10:
+ * ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9:
+ * 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba:
+ * 75:8d:f5:82:ac:43:92:44:1b
+ * publicExponent: 65537 (0x10001)
+ * privateExponent:
+ * 11:b7:6a:36:3d:30:37:ce:61:9d:6c:84:8b:f3:9b:
+ * 25:4f:14:c8:a4:dd:2f:d7:9a:17:bd:90:19:f7:05:
+ * fd:f2:d2:c5:f7:77:be:ea:e2:84:87:97:3a:41:96:
+ * b6:99:f8:94:8c:58:71:51:8c:f4:2a:20:9e:1a:a0:
+ * 26:99:75:d6:31:53:43:39:f5:2a:a6:7e:34:42:51:
+ * 2a:40:87:03:88:43:69:b2:89:6d:20:bd:7d:71:ef:
+ * 47:0a:df:06:c1:69:66:a8:22:37:1a:77:1e:c7:94:
+ * 4e:2c:27:69:45:5e:c8:f8:0c:b7:f8:c0:8f:99:c1:
+ * e5:28:9b:f9:4c:94:c6:b1
+ * prime1:
+ * 00:e7:35:00:62:17:66:a2:7c:48:3a:cd:b2:4e:38:
+ * 2e:e1:7b:90:87:01:d9:05:c5:2c:56:54:55:47:2f:
+ * a1:1f:5d:fa:9d:2d:59:14:a2:13:1b:81:9b:fe:5f:
+ * 1c:88:79:4d:9b:88:e1:31:4a:0e:3d:29:db:37:14:
+ * e2:a0:4d:ab:b5
+ * prime2:
+ * 00:d0:17:75:85:a8:fa:42:e0:a8:f0:8d:00:5e:6d:
+ * 96:3b:e3:0c:4d:93:13:be:d1:c3:fd:b1:a3:28:d3:
+ * 3e:7d:3e:08:f2:b2:98:9d:04:57:d5:a7:07:76:a4:
+ * bd:5f:1d:ab:34:9a:99:82:43:26:a4:44:88:74:f4:
+ * 76:7d:ce:32:8f
+ * exponent1:
+ * 2c:57:8c:e8:43:26:aa:f8:fc:fd:52:1f:e5:42:7f:
+ * 33:3d:78:7d:7c:0c:3c:40:11:7d:c9:14:c5:df:4b:
+ * 9e:71:6e:b4:20:53:5a:52:af:29:72:55:11:96:fa:
+ * 28:ee:62:c4:f6:9e:81:ce:7b:26:9d:d5:6e:1d:f2:
+ * 4c:de:38:95
+ * exponent2:
+ * 0c:3f:f5:49:23:03:68:80:75:31:83:fb:6b:93:a3:
+ * ee:6e:95:40:d3:d1:ab:c0:09:7b:9b:c3:71:19:ce:
+ * 69:ed:06:f5:d2:91:ad:5c:9e:17:13:b8:1a:c1:e3:
+ * eb:ff:81:1e:9d:a3:3f:c9:d8:32:7f:5e:51:14:3b:
+ * 0d:78:df:fd
+ * coefficient:
+ * 01:0c:cc:95:69:ca:19:23:bc:a7:24:c3:b6:74:31:
+ * de:14:4c:a1:49:0e:12:19:8d:ab:86:d0:84:b9:18:
+ * aa:d9:d8:15:ca:a9:51:0d:aa:32:35:be:36:23:56:
+ * 93:91:e7:4e:b3:12:dc:bf:44:74:9a:1b:31:4c:da:
+ * 35:92:f2:e3
+ *
+ * client certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 9 (0x9)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 03:43:24 2008 GMT
+ * Not After : Aug 25 03:43:24 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Client, CN=localhost
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69:
+ * 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f:
+ * 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7:
+ * 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21:
+ * 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41:
+ * 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10:
+ * ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9:
+ * 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba:
+ * 75:8d:f5:82:ac:43:92:44:1b
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Basic Constraints:
+ * CA:FALSE
+ * X509v3 Key Usage:
+ * Digital Signature, Non Repudiation, Key Encipherment
+ * X509v3 Subject Key Identifier:
+ * CD:BB:C8:85:AA:91:BD:FD:1D:BE:CD:67:7C:FF:B3:E9:4C:A8:22:E6
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ *
+ * X509v3 Subject Alternative Name: critical
+ * DNS:localhost
+ * Signature Algorithm: md5WithRSAEncryption
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICpDCCAg2gAwIBAgIBCTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMjRaFw0yODA4MjUwMzQzMjRaMHIxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD
+ * VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas
+ * JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV
+ * 8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq
+ * ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjczBxMAkGA1UdEwQCMAAw
+ * CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV
+ * HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh
+ * bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAm25gJyqW1JznQ1EyOtTGswBVwfgBOf+F
+ * HJuBTcflYQLbTD/AETPQJGvZU9tdhuLtbG3OPhR7vSY8zeAbfM3dbH7QFr3r47Gj
+ * XEH7qM/MX+Z3ifVaC4MeJmrYQkYFSuKeyyKpdRVX4w4nnFHF6OsNASsYrMW6LpxN
+ * cl/epUcHL7E=
+ * -----END CERTIFICATE-----
+ *
+ *
+ *
+ * Trusted CA certificate:
+ * Certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 0 (0x0)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 02:43:36 2008 GMT
+ * Not After : Aug 25 02:43:36 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:cb:c4:38:20:07:be:88:a7:93:b0:a1:43:51:2d:
+ * d7:8e:85:af:54:dd:ad:a2:7b:23:5b:cf:99:13:53:
+ * 99:45:7d:ee:6d:ba:2d:bf:e3:ad:6e:3d:9f:1a:f9:
+ * 03:97:e0:17:55:ae:11:26:57:de:01:29:8e:05:3f:
+ * 21:f7:e7:36:e8:2e:37:d7:48:ac:53:d6:60:0e:c7:
+ * 50:6d:f6:c5:85:f7:8b:a6:c5:91:35:72:3c:94:ee:
+ * f1:17:f0:71:e3:ec:1b:ce:ca:4e:40:42:b0:6d:ee:
+ * 6a:0e:d6:e5:ad:3c:0f:c9:ba:82:4f:78:f8:89:97:
+ * 89:2a:95:12:4c:d8:09:2a:e9
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Subject Key Identifier:
+ * FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ * DirName:/C=US/ST=Some-State/L=Some-City/O=Some-Org
+ * serial:00
+ *
+ * X509v3 Basic Constraints:
+ * CA:TRUE
+ * Signature Algorithm: md5WithRSAEncryption
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+ * gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX
+ * 4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj
+ * 7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G
+ * A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ
+ * hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt
+ * U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw
+ * DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA
+ * ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ
+ * LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P
+ * 6Mvf0r1PNTY2hwTJLJmKtg==
+ * -----END CERTIFICATE---
+ */
+
+
+public class PKIXExtendedTM {
+
+ /*
+ * =============================================================
+ * Set the various variables needed for the tests, then
+ * specify what tests to run on each side.
+ */
+
+ /*
+ * Should we run the client or server in a separate thread?
+ * Both sides can throw exceptions, but do you have a preference
+ * as to which side should be the main thread.
+ */
+ static boolean separateServerThread = true;
+
+ /*
+ * Where do we find the keystores?
+ */
+ static String trusedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" +
+ "gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX\n" +
+ "4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj\n" +
+ "7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G\n" +
+ "A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ\n" +
+ "hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt\n" +
+ "U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw\n" +
+ "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA\n" +
+ "ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ\n" +
+ "LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P\n" +
+ "6Mvf0r1PNTY2hwTJLJmKtg==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String serverCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICpDCCAg2gAwIBAgIBCDANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMDRaFw0yODA4MjUwMzQzMDRaMHIxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtU2VydmVyMRIwEAYD\n" +
+ "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWsWxw3\n" +
+ "ot2ZiS2yebiP1Uil5xyEF41pnMasbfnyHR85GdrTch5u7ETMcKTcugAw9qBPPVR6\n" +
+ "YWrMV9AKf5UoGD+a2ZTyG8gkiH7+nQ89+1dTCLMgM9Q/F0cU0c3qCNgOdU6vvszS\n" +
+ "7K+peknfwtmsuCRAkKYDVirQMAVALE+r2XSJAgMBAAGjczBxMAkGA1UdEwQCMAAw\n" +
+ "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTtbtv0tVbI+xoGYT8PCLumBNgWVDAfBgNV\n" +
+ "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh\n" +
+ "bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAoqVTciHtcvsUj+YaTct8tUh3aTCsKsac\n" +
+ "PHhfQ+ObjiXSgxsKYTX7ym/wk/wvlbUcbqLKxsu7qrcJitH+H9heV1hEHEu65Uoi\n" +
+ "nRugFruyOrwvAylV8Cm2af7ddilmYJ+sdJA6N2M3xJRxR0G2LFHEXDNEjYReyexn\n" +
+ "JqCpf5uZGOo=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String clientCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICpDCCAg2gAwIBAgIBCTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMjRaFw0yODA4MjUwMzQzMjRaMHIxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD\n" +
+ "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas\n" +
+ "JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV\n" +
+ "8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq\n" +
+ "ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjczBxMAkGA1UdEwQCMAAw\n" +
+ "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV\n" +
+ "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh\n" +
+ "bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAm25gJyqW1JznQ1EyOtTGswBVwfgBOf+F\n" +
+ "HJuBTcflYQLbTD/AETPQJGvZU9tdhuLtbG3OPhR7vSY8zeAbfM3dbH7QFr3r47Gj\n" +
+ "XEH7qM/MX+Z3ifVaC4MeJmrYQkYFSuKeyyKpdRVX4w4nnFHF6OsNASsYrMW6LpxN\n" +
+ "cl/epUcHL7E=\n" +
+ "-----END CERTIFICATE-----";
+
+ static byte serverPrivateExponent[] = {
+ (byte)0x6e, (byte)0xa7, (byte)0x1b, (byte)0x83,
+ (byte)0x51, (byte)0x35, (byte)0x9a, (byte)0x44,
+ (byte)0x7d, (byte)0xf6, (byte)0xe3, (byte)0x89,
+ (byte)0xa0, (byte)0xd7, (byte)0x90, (byte)0x60,
+ (byte)0xa1, (byte)0x4e, (byte)0x27, (byte)0x21,
+ (byte)0xa2, (byte)0x89, (byte)0x74, (byte)0xcc,
+ (byte)0x9d, (byte)0x75, (byte)0x75, (byte)0x4e,
+ (byte)0xc7, (byte)0x82, (byte)0xe3, (byte)0xe3,
+ (byte)0xc3, (byte)0x7d, (byte)0x00, (byte)0x54,
+ (byte)0xec, (byte)0x36, (byte)0xb1, (byte)0xdf,
+ (byte)0x91, (byte)0x9c, (byte)0x7a, (byte)0xc0,
+ (byte)0x62, (byte)0x0a, (byte)0xd6, (byte)0xa9,
+ (byte)0x22, (byte)0x91, (byte)0x4a, (byte)0x29,
+ (byte)0x2e, (byte)0x43, (byte)0xfa, (byte)0x8c,
+ (byte)0xd8, (byte)0xe9, (byte)0xbe, (byte)0xd9,
+ (byte)0x4f, (byte)0xca, (byte)0x23, (byte)0xc6,
+ (byte)0xe4, (byte)0x3f, (byte)0xb8, (byte)0x72,
+ (byte)0xcf, (byte)0x02, (byte)0xfc, (byte)0xf4,
+ (byte)0x58, (byte)0x34, (byte)0x77, (byte)0x76,
+ (byte)0xce, (byte)0x22, (byte)0x44, (byte)0x5f,
+ (byte)0x2d, (byte)0xca, (byte)0xee, (byte)0xf5,
+ (byte)0x43, (byte)0x56, (byte)0x47, (byte)0x71,
+ (byte)0x0b, (byte)0x09, (byte)0x6b, (byte)0x5e,
+ (byte)0xf2, (byte)0xc8, (byte)0xee, (byte)0xd4,
+ (byte)0x6e, (byte)0x44, (byte)0x92, (byte)0x2a,
+ (byte)0x7f, (byte)0xcc, (byte)0xa7, (byte)0xd4,
+ (byte)0x5b, (byte)0xfb, (byte)0xf7, (byte)0x4a,
+ (byte)0xa9, (byte)0xfb, (byte)0x54, (byte)0x18,
+ (byte)0xd5, (byte)0xd5, (byte)0x14, (byte)0xba,
+ (byte)0xa0, (byte)0x1c, (byte)0x13, (byte)0xb3,
+ (byte)0x37, (byte)0x6b, (byte)0x37, (byte)0x59,
+ (byte)0xed, (byte)0xdb, (byte)0x6d, (byte)0xb1
+ };
+
+ static byte serverModulus[] = {
+ (byte)0x00,
+ (byte)0xa5, (byte)0xac, (byte)0x5b, (byte)0x1c,
+ (byte)0x37, (byte)0xa2, (byte)0xdd, (byte)0x99,
+ (byte)0x89, (byte)0x2d, (byte)0xb2, (byte)0x79,
+ (byte)0xb8, (byte)0x8f, (byte)0xd5, (byte)0x48,
+ (byte)0xa5, (byte)0xe7, (byte)0x1c, (byte)0x84,
+ (byte)0x17, (byte)0x8d, (byte)0x69, (byte)0x9c,
+ (byte)0xc6, (byte)0xac, (byte)0x6d, (byte)0xf9,
+ (byte)0xf2, (byte)0x1d, (byte)0x1f, (byte)0x39,
+ (byte)0x19, (byte)0xda, (byte)0xd3, (byte)0x72,
+ (byte)0x1e, (byte)0x6e, (byte)0xec, (byte)0x44,
+ (byte)0xcc, (byte)0x70, (byte)0xa4, (byte)0xdc,
+ (byte)0xba, (byte)0x00, (byte)0x30, (byte)0xf6,
+ (byte)0xa0, (byte)0x4f, (byte)0x3d, (byte)0x54,
+ (byte)0x7a, (byte)0x61, (byte)0x6a, (byte)0xcc,
+ (byte)0x57, (byte)0xd0, (byte)0x0a, (byte)0x7f,
+ (byte)0x95, (byte)0x28, (byte)0x18, (byte)0x3f,
+ (byte)0x9a, (byte)0xd9, (byte)0x94, (byte)0xf2,
+ (byte)0x1b, (byte)0xc8, (byte)0x24, (byte)0x88,
+ (byte)0x7e, (byte)0xfe, (byte)0x9d, (byte)0x0f,
+ (byte)0x3d, (byte)0xfb, (byte)0x57, (byte)0x53,
+ (byte)0x08, (byte)0xb3, (byte)0x20, (byte)0x33,
+ (byte)0xd4, (byte)0x3f, (byte)0x17, (byte)0x47,
+ (byte)0x14, (byte)0xd1, (byte)0xcd, (byte)0xea,
+ (byte)0x08, (byte)0xd8, (byte)0x0e, (byte)0x75,
+ (byte)0x4e, (byte)0xaf, (byte)0xbe, (byte)0xcc,
+ (byte)0xd2, (byte)0xec, (byte)0xaf, (byte)0xa9,
+ (byte)0x7a, (byte)0x49, (byte)0xdf, (byte)0xc2,
+ (byte)0xd9, (byte)0xac, (byte)0xb8, (byte)0x24,
+ (byte)0x40, (byte)0x90, (byte)0xa6, (byte)0x03,
+ (byte)0x56, (byte)0x2a, (byte)0xd0, (byte)0x30,
+ (byte)0x05, (byte)0x40, (byte)0x2c, (byte)0x4f,
+ (byte)0xab, (byte)0xd9, (byte)0x74, (byte)0x89
+ };
+
+ static byte clientPrivateExponent[] = {
+ (byte)0x11, (byte)0xb7, (byte)0x6a, (byte)0x36,
+ (byte)0x3d, (byte)0x30, (byte)0x37, (byte)0xce,
+ (byte)0x61, (byte)0x9d, (byte)0x6c, (byte)0x84,
+ (byte)0x8b, (byte)0xf3, (byte)0x9b, (byte)0x25,
+ (byte)0x4f, (byte)0x14, (byte)0xc8, (byte)0xa4,
+ (byte)0xdd, (byte)0x2f, (byte)0xd7, (byte)0x9a,
+ (byte)0x17, (byte)0xbd, (byte)0x90, (byte)0x19,
+ (byte)0xf7, (byte)0x05, (byte)0xfd, (byte)0xf2,
+ (byte)0xd2, (byte)0xc5, (byte)0xf7, (byte)0x77,
+ (byte)0xbe, (byte)0xea, (byte)0xe2, (byte)0x84,
+ (byte)0x87, (byte)0x97, (byte)0x3a, (byte)0x41,
+ (byte)0x96, (byte)0xb6, (byte)0x99, (byte)0xf8,
+ (byte)0x94, (byte)0x8c, (byte)0x58, (byte)0x71,
+ (byte)0x51, (byte)0x8c, (byte)0xf4, (byte)0x2a,
+ (byte)0x20, (byte)0x9e, (byte)0x1a, (byte)0xa0,
+ (byte)0x26, (byte)0x99, (byte)0x75, (byte)0xd6,
+ (byte)0x31, (byte)0x53, (byte)0x43, (byte)0x39,
+ (byte)0xf5, (byte)0x2a, (byte)0xa6, (byte)0x7e,
+ (byte)0x34, (byte)0x42, (byte)0x51, (byte)0x2a,
+ (byte)0x40, (byte)0x87, (byte)0x03, (byte)0x88,
+ (byte)0x43, (byte)0x69, (byte)0xb2, (byte)0x89,
+ (byte)0x6d, (byte)0x20, (byte)0xbd, (byte)0x7d,
+ (byte)0x71, (byte)0xef, (byte)0x47, (byte)0x0a,
+ (byte)0xdf, (byte)0x06, (byte)0xc1, (byte)0x69,
+ (byte)0x66, (byte)0xa8, (byte)0x22, (byte)0x37,
+ (byte)0x1a, (byte)0x77, (byte)0x1e, (byte)0xc7,
+ (byte)0x94, (byte)0x4e, (byte)0x2c, (byte)0x27,
+ (byte)0x69, (byte)0x45, (byte)0x5e, (byte)0xc8,
+ (byte)0xf8, (byte)0x0c, (byte)0xb7, (byte)0xf8,
+ (byte)0xc0, (byte)0x8f, (byte)0x99, (byte)0xc1,
+ (byte)0xe5, (byte)0x28, (byte)0x9b, (byte)0xf9,
+ (byte)0x4c, (byte)0x94, (byte)0xc6, (byte)0xb1
+ };
+
+ static byte clientModulus[] = {
+ (byte)0x00,
+ (byte)0xbb, (byte)0xf0, (byte)0x40, (byte)0x36,
+ (byte)0xac, (byte)0x26, (byte)0x54, (byte)0x4e,
+ (byte)0xf4, (byte)0xa3, (byte)0x5a, (byte)0x00,
+ (byte)0x2f, (byte)0x69, (byte)0x21, (byte)0x6f,
+ (byte)0xb9, (byte)0x7a, (byte)0x3a, (byte)0x93,
+ (byte)0xec, (byte)0xa2, (byte)0xf6, (byte)0xe1,
+ (byte)0x8e, (byte)0xc7, (byte)0x63, (byte)0xd8,
+ (byte)0x2f, (byte)0x12, (byte)0x30, (byte)0x99,
+ (byte)0x2e, (byte)0xb0, (byte)0xf2, (byte)0x8f,
+ (byte)0xf8, (byte)0x27, (byte)0x2d, (byte)0x24,
+ (byte)0x78, (byte)0x28, (byte)0x84, (byte)0xf7,
+ (byte)0x01, (byte)0xbf, (byte)0x8d, (byte)0x44,
+ (byte)0x79, (byte)0xdd, (byte)0x3b, (byte)0xd2,
+ (byte)0x55, (byte)0xf3, (byte)0xce, (byte)0x3c,
+ (byte)0xb2, (byte)0x5b, (byte)0x21, (byte)0x7d,
+ (byte)0xef, (byte)0xfd, (byte)0x33, (byte)0x4a,
+ (byte)0xb1, (byte)0xa3, (byte)0xff, (byte)0xc6,
+ (byte)0xc8, (byte)0x9b, (byte)0xb9, (byte)0x0f,
+ (byte)0x7c, (byte)0x41, (byte)0x35, (byte)0x97,
+ (byte)0xf9, (byte)0xdb, (byte)0x3a, (byte)0x05,
+ (byte)0x60, (byte)0x05, (byte)0x15, (byte)0xaf,
+ (byte)0x59, (byte)0x17, (byte)0x92, (byte)0xa3,
+ (byte)0x10, (byte)0xad, (byte)0x16, (byte)0x1c,
+ (byte)0xe4, (byte)0x07, (byte)0x53, (byte)0xaf,
+ (byte)0xa8, (byte)0x76, (byte)0xa2, (byte)0x56,
+ (byte)0x2a, (byte)0x92, (byte)0xd3, (byte)0xf9,
+ (byte)0x28, (byte)0xe0, (byte)0x78, (byte)0xcf,
+ (byte)0x5e, (byte)0x1f, (byte)0x48, (byte)0xab,
+ (byte)0x5c, (byte)0x19, (byte)0xdd, (byte)0xe1,
+ (byte)0x67, (byte)0x43, (byte)0xba, (byte)0x75,
+ (byte)0x8d, (byte)0xf5, (byte)0x82, (byte)0xac,
+ (byte)0x43, (byte)0x92, (byte)0x44, (byte)0x1b
+ };
+
+ static char passphrase[] = "passphrase".toCharArray();
+
+ /*
+ * Is the server ready to serve?
+ */
+ volatile static boolean serverReady = false;
+
+ /*
+ * Turn on SSL debugging?
+ */
+ static boolean debug = false;
+
+ /*
+ * Define the server side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doServerSide() throws Exception {
+ SSLContext context = getSSLContext(trusedCertStr, serverCertStr,
+ serverModulus, serverPrivateExponent, passphrase);
+ SSLServerSocketFactory sslssf = context.getServerSocketFactory();
+
+ SSLServerSocket sslServerSocket =
+ (SSLServerSocket) sslssf.createServerSocket(serverPort);
+ serverPort = sslServerSocket.getLocalPort();
+
+ // enable endpoint identification
+ // ignore, we may test the feature when known how to parse client
+ // hostname
+ //SSLParameters params = sslServerSocket.getSSLParameters();
+ //params.setEndpointIdentificationAlgorithm("HTTPS");
+ //sslServerSocket.setSSLParameters(params);
+
+ /*
+ * Signal Client, we're ready for his connect.
+ */
+ serverReady = true;
+
+ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
+ sslSocket.setNeedClientAuth(true);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslIS.read();
+ sslOS.write(85);
+ sslOS.flush();
+
+ sslSocket.close();
+
+ }
+
+ /*
+ * Define the client side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doClientSide() throws Exception {
+ /*
+ * Wait for server to get started.
+ */
+ while (!serverReady) {
+ Thread.sleep(50);
+ }
+
+ SSLContext context = getSSLContext(trusedCertStr, clientCertStr,
+ clientModulus, clientPrivateExponent, passphrase);
+
+ SSLSocketFactory sslsf = context.getSocketFactory();
+ SSLSocket sslSocket = (SSLSocket)
+ sslsf.createSocket("localhost", serverPort);
+
+ // enable endpoint identification
+ SSLParameters params = sslSocket.getSSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ sslSocket.setSSLParameters(params);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslOS.write(280);
+ sslOS.flush();
+ sslIS.read();
+
+ sslSocket.close();
+
+ }
+
+ // get the ssl context
+ private static SSLContext getSSLContext(String trusedCertStr,
+ String keyCertStr, byte[] modulus,
+ byte[] privateExponent, char[] passphrase) throws Exception {
+
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(trusedCertStr.getBytes());
+ Certificate trusedCert = cf.generateCertificate(is);
+ is.close();
+
+ // create a key store
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(null, null);
+
+ // import the trused cert
+ ks.setCertificateEntry("RSA Export Signer", trusedCert);
+
+ if (keyCertStr != null) {
+ // generate the private key.
+ RSAPrivateKeySpec priKeySpec = new RSAPrivateKeySpec(
+ new BigInteger(modulus),
+ new BigInteger(privateExponent));
+ KeyFactory kf = KeyFactory.getInstance("RSA");
+ RSAPrivateKey priKey =
+ (RSAPrivateKey)kf.generatePrivate(priKeySpec);
+
+ // generate certificate chain
+ is = new ByteArrayInputStream(keyCertStr.getBytes());
+ Certificate keyCert = cf.generateCertificate(is);
+ is.close();
+
+ Certificate[] chain = new Certificate[2];
+ chain[0] = keyCert;
+ chain[1] = trusedCert;
+
+ // import the key entry.
+ ks.setKeyEntry("Whatever", priKey, passphrase, chain);
+ }
+
+ // create SSL context
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
+ tmf.init(ks);
+
+ TrustManager tms[] = tmf.getTrustManagers();
+ if (tms == null || tms.length == 0) {
+ throw new Exception("unexpected trust manager implementation");
+ } else {
+ if (!(tms[0] instanceof X509ExtendedTrustManager)) {
+ throw new Exception("unexpected trust manager implementation: "
+ + tms[0].getClass().getCanonicalName());
+ }
+ }
+
+
+ SSLContext ctx = SSLContext.getInstance("TLS");
+
+ if (keyCertStr != null) {
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+ kmf.init(ks, passphrase);
+
+ ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+ } else {
+ ctx.init(null, tmf.getTrustManagers(), null);
+ }
+
+ return ctx;
+ }
+
+ /*
+ * =============================================================
+ * The remainder is just support stuff
+ */
+
+ // use any free port by default
+ volatile int serverPort = 0;
+
+ volatile Exception serverException = null;
+ volatile Exception clientException = null;
+
+ public static void main(String args[]) throws Exception {
+ if (debug)
+ System.setProperty("javax.net.debug", "all");
+
+ /*
+ * Start the tests.
+ */
+ new PKIXExtendedTM();
+ }
+
+ Thread clientThread = null;
+ Thread serverThread = null;
+ /*
+ * Primary constructor, used to drive remainder of the test.
+ *
+ * Fork off the other side, then do your work.
+ */
+ PKIXExtendedTM() throws Exception {
+ if (separateServerThread) {
+ startServer(true);
+ startClient(false);
+ } else {
+ startClient(true);
+ startServer(false);
+ }
+
+ /*
+ * Wait for other side to close down.
+ */
+ if (separateServerThread) {
+ serverThread.join();
+ } else {
+ clientThread.join();
+ }
+
+ /*
+ * When we get here, the test is pretty much over.
+ *
+ * If the main thread excepted, that propagates back
+ * immediately. If the other thread threw an exception, we
+ * should report back.
+ */
+ if (serverException != null)
+ throw serverException;
+ if (clientException != null)
+ throw clientException;
+ }
+
+ void startServer(boolean newThread) throws Exception {
+ if (newThread) {
+ serverThread = new Thread() {
+ public void run() {
+ try {
+ doServerSide();
+ } catch (Exception e) {
+ /*
+ * Our server thread just died.
+ *
+ * Release the client, if not active already...
+ */
+ System.err.println("Server died...");
+ serverReady = true;
+ serverException = e;
+ }
+ }
+ };
+ serverThread.start();
+ } else {
+ doServerSide();
+ }
+ }
+
+ void startClient(boolean newThread) throws Exception {
+ if (newThread) {
+ clientThread = new Thread() {
+ public void run() {
+ try {
+ doClientSide();
+ } catch (Exception e) {
+ /*
+ * Our client thread just died.
+ */
+ System.err.println("Client died...");
+ clientException = e;
+ }
+ }
+ };
+ clientThread.start();
+ } else {
+ doClientSide();
+ }
+ }
+
+}
diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
new file mode 100644
index 0000000000000000000000000000000000000000..19eb41a8aa2d9003af0352476af97a4a349f6f93
--- /dev/null
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SunX509ExtendedTM.java
@@ -0,0 +1,884 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 6916074
+ * @run main/othervm -Djavax.net.debug=all SunX509ExtendedTM
+ * @summary Add support for TLS 1.2
+ */
+
+import java.net.*;
+import java.util.*;
+import java.io.*;
+import javax.net.ssl.*;
+import java.security.KeyStore;
+import java.security.KeyFactory;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.math.BigInteger;
+
+
+/*
+ * Certificates and key used in the test.
+ *
+ * TLS server certificate:
+ * server private key:
+ * -----BEGIN RSA PRIVATE KEY-----
+ * Proc-Type: 4,ENCRYPTED
+ * DEK-Info: DES-EDE3-CBC,D9AE407F6D0E389A
+ *
+ * WPrA7TFol/cQCcp9oHnXWNpYlvRbbIcQj0m+RKT2Iuzfus+DHt3Zadf8nJpKfX2e
+ * h2rnhlzCN9M7djRDooZKDOPCsdBn51Au7HlZF3S3Opgo7D8XFM1a8t1Je4ke14oI
+ * nw6QKYsBblRziPnP2PZ0zvX24nOv7bbY8beynlJHGs00VWSFdoH2DS0aE1p6D+3n
+ * ptJuJ75dVfZFK4X7162APlNXevX8D6PEQpSiRw1rjjGGcnvQ4HdWk3BxDVDcCNJb
+ * Y1aGNRxsjTDvPi3R9Qx2M+W03QzEPx4SR3ZHVskeSJHaetM0TM/w/45Paq4GokXP
+ * ZeTnbEx1xmjkA7h+t4doLL4watx5F6yLsJzu8xB3lt/1EtmkYtLz1t7X4BetPAXz
+ * zS69X/VwhKfsOI3qXBWuL2oHPyhDmT1gcaUQwEPSV6ogHEEQEDXdiUS8heNK13KF
+ * TCQYFkETvV2BLxUhV1hypPzRQ6tUpJiAbD5KmoK2lD9slshG2QtvKQq0/bgkDY5J
+ * LhDHV2dtcZ3kDPkkZXpbcJQvoeH3d09C5sIsuTFo2zgNR6oETHUc5TzP6FY2YYRa
+ * QcK5HcmtsRRiXFm01ac+aMejJUIujjFt84SiKWT/73vC8AmY4tYcJBLjCg4XIxSH
+ * fdDFLL1YZENNO5ivlp8mdiHqcawx+36L7DrEZQ8RZt6cqST5t/+XTdM74s6k81GT
+ * pNsa82P2K2zmIUZ/DL2mKjW1vfRByw1NQFEBkN3vdyZxYfM/JyUzX4hbjXBEkh9Q
+ * QYrcwLKLjis2QzSvK04B3bvRzRb+4ocWiso8ZPAXAIxZFBWDpTMM2A==
+ * -----END RSA PRIVATE KEY-----
+ *
+ * -----BEGIN RSA PRIVATE KEY-----
+ * MIICXAIBAAKBgQClrFscN6LdmYktsnm4j9VIpecchBeNaZzGrG358h0fORna03Ie
+ * buxEzHCk3LoAMPagTz1UemFqzFfQCn+VKBg/mtmU8hvIJIh+/p0PPftXUwizIDPU
+ * PxdHFNHN6gjYDnVOr77M0uyvqXpJ38LZrLgkQJCmA1Yq0DAFQCxPq9l0iQIDAQAB
+ * AoGAbqcbg1E1mkR99uOJoNeQYKFOJyGiiXTMnXV1TseC4+PDfQBU7Dax35GcesBi
+ * CtapIpFKKS5D+ozY6b7ZT8ojxuQ/uHLPAvz0WDR3ds4iRF8tyu71Q1ZHcQsJa17y
+ * yO7UbkSSKn/Mp9Rb+/dKqftUGNXVFLqgHBOzN2s3We3bbbECQQDYBPKOg3hkaGHo
+ * OhpHKqtQ6EVkldihG/3i4WejRonelXN+HRh1KrB2HBx0M8D/qAzP1i3rNSlSHer4
+ * 59YRTJnHAkEAxFX/sVYSn07BHv9Zhn6XXct/Cj43z/tKNbzlNbcxqQwQerw3IH51
+ * 8UH2YOA+GD3lXbKp+MytoFLWv8zg4YT/LwJAfqan75Z1R6lLffRS49bIiq8jwE16
+ * rTrUJ+kv8jKxMqc9B3vXkxpsS1M/+4E8bqgAmvpgAb8xcsvHsBd9ErdukQJBAKs2
+ * j67W75BrPjBI34pQ1LEfp56IGWXOrq1kF8IbCjxv3+MYRT6Z6UJFkpRymNPNDjsC
+ * dgUYgITiGJHUGXuw3lMCQHEHqo9ZtXz92yFT+VhsNc29B8m/sqUJdtCcMd/jGpAF
+ * u6GHufjqIZBpQsk63wbwESAPZZ+kk1O1kS5GIRLX608=
+ * -----END RSA PRIVATE KEY-----
+ *
+ * Private-Key: (1024 bit)
+ * modulus:
+ * 00:a5:ac:5b:1c:37:a2:dd:99:89:2d:b2:79:b8:8f:
+ * d5:48:a5:e7:1c:84:17:8d:69:9c:c6:ac:6d:f9:f2:
+ * 1d:1f:39:19:da:d3:72:1e:6e:ec:44:cc:70:a4:dc:
+ * ba:00:30:f6:a0:4f:3d:54:7a:61:6a:cc:57:d0:0a:
+ * 7f:95:28:18:3f:9a:d9:94:f2:1b:c8:24:88:7e:fe:
+ * 9d:0f:3d:fb:57:53:08:b3:20:33:d4:3f:17:47:14:
+ * d1:cd:ea:08:d8:0e:75:4e:af:be:cc:d2:ec:af:a9:
+ * 7a:49:df:c2:d9:ac:b8:24:40:90:a6:03:56:2a:d0:
+ * 30:05:40:2c:4f:ab:d9:74:89
+ * publicExponent: 65537 (0x10001)
+ * privateExponent:
+ * 6e:a7:1b:83:51:35:9a:44:7d:f6:e3:89:a0:d7:90:
+ * 60:a1:4e:27:21:a2:89:74:cc:9d:75:75:4e:c7:82:
+ * e3:e3:c3:7d:00:54:ec:36:b1:df:91:9c:7a:c0:62:
+ * 0a:d6:a9:22:91:4a:29:2e:43:fa:8c:d8:e9:be:d9:
+ * 4f:ca:23:c6:e4:3f:b8:72:cf:02:fc:f4:58:34:77:
+ * 76:ce:22:44:5f:2d:ca:ee:f5:43:56:47:71:0b:09:
+ * 6b:5e:f2:c8:ee:d4:6e:44:92:2a:7f:cc:a7:d4:5b:
+ * fb:f7:4a:a9:fb:54:18:d5:d5:14:ba:a0:1c:13:b3:
+ * 37:6b:37:59:ed:db:6d:b1
+ * prime1:
+ * 00:d8:04:f2:8e:83:78:64:68:61:e8:3a:1a:47:2a:
+ * ab:50:e8:45:64:95:d8:a1:1b:fd:e2:e1:67:a3:46:
+ * 89:de:95:73:7e:1d:18:75:2a:b0:76:1c:1c:74:33:
+ * c0:ff:a8:0c:cf:d6:2d:eb:35:29:52:1d:ea:f8:e7:
+ * d6:11:4c:99:c7
+ * prime2:
+ * 00:c4:55:ff:b1:56:12:9f:4e:c1:1e:ff:59:86:7e:
+ * 97:5d:cb:7f:0a:3e:37:cf:fb:4a:35:bc:e5:35:b7:
+ * 31:a9:0c:10:7a:bc:37:20:7e:75:f1:41:f6:60:e0:
+ * 3e:18:3d:e5:5d:b2:a9:f8:cc:ad:a0:52:d6:bf:cc:
+ * e0:e1:84:ff:2f
+ * exponent1:
+ * 7e:a6:a7:ef:96:75:47:a9:4b:7d:f4:52:e3:d6:c8:
+ * 8a:af:23:c0:4d:7a:ad:3a:d4:27:e9:2f:f2:32:b1:
+ * 32:a7:3d:07:7b:d7:93:1a:6c:4b:53:3f:fb:81:3c:
+ * 6e:a8:00:9a:fa:60:01:bf:31:72:cb:c7:b0:17:7d:
+ * 12:b7:6e:91
+ * exponent2:
+ * 00:ab:36:8f:ae:d6:ef:90:6b:3e:30:48:df:8a:50:
+ * d4:b1:1f:a7:9e:88:19:65:ce:ae:ad:64:17:c2:1b:
+ * 0a:3c:6f:df:e3:18:45:3e:99:e9:42:45:92:94:72:
+ * 98:d3:cd:0e:3b:02:76:05:18:80:84:e2:18:91:d4:
+ * 19:7b:b0:de:53
+ * coefficient:
+ * 71:07:aa:8f:59:b5:7c:fd:db:21:53:f9:58:6c:35:
+ * cd:bd:07:c9:bf:b2:a5:09:76:d0:9c:31:df:e3:1a:
+ * 90:05:bb:a1:87:b9:f8:ea:21:90:69:42:c9:3a:df:
+ * 06:f0:11:20:0f:65:9f:a4:93:53:b5:91:2e:46:21:
+ * 12:d7:eb:4f
+ *
+ *
+ * server certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 8 (0x8)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 03:43:04 2008 GMT
+ * Not After : Aug 25 03:43:04 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Server, CN=localhost
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:a5:ac:5b:1c:37:a2:dd:99:89:2d:b2:79:b8:8f:
+ * d5:48:a5:e7:1c:84:17:8d:69:9c:c6:ac:6d:f9:f2:
+ * 1d:1f:39:19:da:d3:72:1e:6e:ec:44:cc:70:a4:dc:
+ * ba:00:30:f6:a0:4f:3d:54:7a:61:6a:cc:57:d0:0a:
+ * 7f:95:28:18:3f:9a:d9:94:f2:1b:c8:24:88:7e:fe:
+ * 9d:0f:3d:fb:57:53:08:b3:20:33:d4:3f:17:47:14:
+ * d1:cd:ea:08:d8:0e:75:4e:af:be:cc:d2:ec:af:a9:
+ * 7a:49:df:c2:d9:ac:b8:24:40:90:a6:03:56:2a:d0:
+ * 30:05:40:2c:4f:ab:d9:74:89
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Basic Constraints:
+ * CA:FALSE
+ * X509v3 Key Usage:
+ * Digital Signature, Non Repudiation, Key Encipherment
+ * X509v3 Subject Key Identifier:
+ * ED:6E:DB:F4:B5:56:C8:FB:1A:06:61:3F:0F:08:BB:A6:04:D8:16:54
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ *
+ * X509v3 Subject Alternative Name: critical
+ * DNS:localhost
+ * Signature Algorithm: md5WithRSAEncryption0
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICpDCCAg2gAwIBAgIBCDANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMDRaFw0yODA4MjUwMzQzMDRaMHIxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtU2VydmVyMRIwEAYD
+ * VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWsWxw3
+ * ot2ZiS2yebiP1Uil5xyEF41pnMasbfnyHR85GdrTch5u7ETMcKTcugAw9qBPPVR6
+ * YWrMV9AKf5UoGD+a2ZTyG8gkiH7+nQ89+1dTCLMgM9Q/F0cU0c3qCNgOdU6vvszS
+ * 7K+peknfwtmsuCRAkKYDVirQMAVALE+r2XSJAgMBAAGjczBxMAkGA1UdEwQCMAAw
+ * CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTtbtv0tVbI+xoGYT8PCLumBNgWVDAfBgNV
+ * HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh
+ * bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAoqVTciHtcvsUj+YaTct8tUh3aTCsKsac
+ * PHhfQ+ObjiXSgxsKYTX7ym/wk/wvlbUcbqLKxsu7qrcJitH+H9heV1hEHEu65Uoi
+ * nRugFruyOrwvAylV8Cm2af7ddilmYJ+sdJA6N2M3xJRxR0G2LFHEXDNEjYReyexn
+ * JqCpf5uZGOo=
+ * -----END CERTIFICATE-----
+ *
+ *
+ * TLS client certificate:
+ * client private key:
+ * ----BEGIN RSA PRIVATE KEY-----
+ * Proc-Type: 4,ENCRYPTED
+ * DEK-Info: DES-EDE3-CBC,FA2A435CD35A9390
+ *
+ * Z+Y2uaETbsUWIyJUyVu1UV2G4rgFYJyACZT6Tp1KjRtxflSh2kXkJ9MpuXMXA0V4
+ * Yy3fDzPqCL9NJmQAYRlAx/W/+j4F5EyMWDIx8fUxzONRZyoiwF7jLm+KscAfv6Pf
+ * q7ItWOdj3z7IYrwlB8YIGd3F2cDKT3S+lYRk7rKb/qT7itbuHnY4Ardh3yl+MZak
+ * jBp+ELUlRsUqSr1V0LoM+0rCCykarpyfhpxEcqsrl0v9Cyi5uhU50/oKv5zql3SH
+ * l2ImgDjp3batAs8+Bd4NF2aqi0a7Hy44JUHxRm4caZryU/i/D9N1MbuM6882HLat
+ * 5N0G+NaIUfywa8mjwq2D5aiit18HqKA6XeRRYeJ5Dvu9DCO4GeFSwcUFIBMI0L46
+ * 7s114+oDodg57pMgITi+04vmUxvqlN9aiyd7f5Fgd7PeHGeOdbMz1NaJLJaPI9++
+ * NakK8eK9iwT/Gdq0Uap5/CHW7vCT5PO+h3HY0STH0lWStXhdWnFO04zTdywsbSp+
+ * DLpHeFT66shfeUlxR0PsCbG9vPRt/QmGLeYQZITppWo/ylSq4j+pRIuXvuWHdBRN
+ * rTZ8QF4Y7AxQUXVz1j1++s6ZMHTzaK2i9HrhmDs1MbJl+QwWre3Xpv3LvTVz3k5U
+ * wX8kuY1m3STt71QCaRWENq5sRaMImLxZbxc/ivFl9RAzUqo4NCxLod/QgA4iLqtO
+ * ztnlpzwlC/F8HbQ1oqYWwnZAPhzU/cULtstl+Yrws2c2atO323LbPXZqbASySgig
+ * sNpFXQMObdfP6LN23bY+1SvtK7V4NUTNhpdIc6INQAQ=
+ * -----END RSA PRIVATE KEY-----
+ *
+ * -----BEGIN RSA PRIVATE KEY-----
+ * MIICWwIBAAKBgQC78EA2rCZUTvSjWgAvaSFvuXo6k+yi9uGOx2PYLxIwmS6w8o/4
+ * Jy0keCiE9wG/jUR53TvSVfPOPLJbIX3v/TNKsaP/xsibuQ98QTWX+ds6BWAFFa9Z
+ * F5KjEK0WHOQHU6+odqJWKpLT+SjgeM9eH0irXBnd4WdDunWN9YKsQ5JEGwIDAQAB
+ * AoGAEbdqNj0wN85hnWyEi/ObJU8UyKTdL9eaF72QGfcF/fLSxfd3vurihIeXOkGW
+ * tpn4lIxYcVGM9CognhqgJpl11jFTQzn1KqZ+NEJRKkCHA4hDabKJbSC9fXHvRwrf
+ * BsFpZqgiNxp3HseUTiwnaUVeyPgMt/jAj5nB5Sib+UyUxrECQQDnNQBiF2aifEg6
+ * zbJOOC7he5CHAdkFxSxWVFVHL6EfXfqdLVkUohMbgZv+XxyIeU2biOExSg49Kds3
+ * FOKgTau1AkEA0Bd1haj6QuCo8I0AXm2WO+MMTZMTvtHD/bGjKNM+fT4I8rKYnQRX
+ * 1acHdqS9Xx2rNJqZgkMmpESIdPR2fc4yjwJALFeM6EMmqvj8/VIf5UJ/Mz14fXwM
+ * PEARfckUxd9LnnFutCBTWlKvKXJVEZb6KO5ixPaegc57Jp3Vbh3yTN44lQJADD/1
+ * SSMDaIB1MYP7a5Oj7m6VQNPRq8AJe5vDcRnOae0G9dKRrVyeFxO4GsHj6/+BHp2j
+ * P8nYMn9eURQ7DXjf/QJAAQzMlWnKGSO8pyTDtnQx3hRMoUkOEhmNq4bQhLkYqtnY
+ * FcqpUQ2qMjW+NiNWk5HnTrMS3L9EdJobMUzaNZLy4w==
+ * -----END RSA PRIVATE KEY-----
+ *
+ * Private-Key: (1024 bit)
+ * modulus:
+ * 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69:
+ * 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f:
+ * 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7:
+ * 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21:
+ * 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41:
+ * 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10:
+ * ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9:
+ * 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba:
+ * 75:8d:f5:82:ac:43:92:44:1b
+ * publicExponent: 65537 (0x10001)
+ * privateExponent:
+ * 11:b7:6a:36:3d:30:37:ce:61:9d:6c:84:8b:f3:9b:
+ * 25:4f:14:c8:a4:dd:2f:d7:9a:17:bd:90:19:f7:05:
+ * fd:f2:d2:c5:f7:77:be:ea:e2:84:87:97:3a:41:96:
+ * b6:99:f8:94:8c:58:71:51:8c:f4:2a:20:9e:1a:a0:
+ * 26:99:75:d6:31:53:43:39:f5:2a:a6:7e:34:42:51:
+ * 2a:40:87:03:88:43:69:b2:89:6d:20:bd:7d:71:ef:
+ * 47:0a:df:06:c1:69:66:a8:22:37:1a:77:1e:c7:94:
+ * 4e:2c:27:69:45:5e:c8:f8:0c:b7:f8:c0:8f:99:c1:
+ * e5:28:9b:f9:4c:94:c6:b1
+ * prime1:
+ * 00:e7:35:00:62:17:66:a2:7c:48:3a:cd:b2:4e:38:
+ * 2e:e1:7b:90:87:01:d9:05:c5:2c:56:54:55:47:2f:
+ * a1:1f:5d:fa:9d:2d:59:14:a2:13:1b:81:9b:fe:5f:
+ * 1c:88:79:4d:9b:88:e1:31:4a:0e:3d:29:db:37:14:
+ * e2:a0:4d:ab:b5
+ * prime2:
+ * 00:d0:17:75:85:a8:fa:42:e0:a8:f0:8d:00:5e:6d:
+ * 96:3b:e3:0c:4d:93:13:be:d1:c3:fd:b1:a3:28:d3:
+ * 3e:7d:3e:08:f2:b2:98:9d:04:57:d5:a7:07:76:a4:
+ * bd:5f:1d:ab:34:9a:99:82:43:26:a4:44:88:74:f4:
+ * 76:7d:ce:32:8f
+ * exponent1:
+ * 2c:57:8c:e8:43:26:aa:f8:fc:fd:52:1f:e5:42:7f:
+ * 33:3d:78:7d:7c:0c:3c:40:11:7d:c9:14:c5:df:4b:
+ * 9e:71:6e:b4:20:53:5a:52:af:29:72:55:11:96:fa:
+ * 28:ee:62:c4:f6:9e:81:ce:7b:26:9d:d5:6e:1d:f2:
+ * 4c:de:38:95
+ * exponent2:
+ * 0c:3f:f5:49:23:03:68:80:75:31:83:fb:6b:93:a3:
+ * ee:6e:95:40:d3:d1:ab:c0:09:7b:9b:c3:71:19:ce:
+ * 69:ed:06:f5:d2:91:ad:5c:9e:17:13:b8:1a:c1:e3:
+ * eb:ff:81:1e:9d:a3:3f:c9:d8:32:7f:5e:51:14:3b:
+ * 0d:78:df:fd
+ * coefficient:
+ * 01:0c:cc:95:69:ca:19:23:bc:a7:24:c3:b6:74:31:
+ * de:14:4c:a1:49:0e:12:19:8d:ab:86:d0:84:b9:18:
+ * aa:d9:d8:15:ca:a9:51:0d:aa:32:35:be:36:23:56:
+ * 93:91:e7:4e:b3:12:dc:bf:44:74:9a:1b:31:4c:da:
+ * 35:92:f2:e3
+ *
+ * client certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 9 (0x9)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 03:43:24 2008 GMT
+ * Not After : Aug 25 03:43:24 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Client, CN=localhost
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69:
+ * 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f:
+ * 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7:
+ * 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21:
+ * 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41:
+ * 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10:
+ * ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9:
+ * 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba:
+ * 75:8d:f5:82:ac:43:92:44:1b
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Basic Constraints:
+ * CA:FALSE
+ * X509v3 Key Usage:
+ * Digital Signature, Non Repudiation, Key Encipherment
+ * X509v3 Subject Key Identifier:
+ * CD:BB:C8:85:AA:91:BD:FD:1D:BE:CD:67:7C:FF:B3:E9:4C:A8:22:E6
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ *
+ * X509v3 Subject Alternative Name: critical
+ * DNS:localhost
+ * Signature Algorithm: md5WithRSAEncryption
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICpDCCAg2gAwIBAgIBCTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMjRaFw0yODA4MjUwMzQzMjRaMHIxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD
+ * VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas
+ * JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV
+ * 8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq
+ * ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjczBxMAkGA1UdEwQCMAAw
+ * CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV
+ * HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh
+ * bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAm25gJyqW1JznQ1EyOtTGswBVwfgBOf+F
+ * HJuBTcflYQLbTD/AETPQJGvZU9tdhuLtbG3OPhR7vSY8zeAbfM3dbH7QFr3r47Gj
+ * XEH7qM/MX+Z3ifVaC4MeJmrYQkYFSuKeyyKpdRVX4w4nnFHF6OsNASsYrMW6LpxN
+ * cl/epUcHL7E=
+ * -----END CERTIFICATE-----
+ *
+ *
+ *
+ * Trusted CA certificate:
+ * Certificate:
+ * Data:
+ * Version: 3 (0x2)
+ * Serial Number: 0 (0x0)
+ * Signature Algorithm: md5WithRSAEncryption
+ * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Validity
+ * Not Before: Dec 8 02:43:36 2008 GMT
+ * Not After : Aug 25 02:43:36 2028 GMT
+ * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org
+ * Subject Public Key Info:
+ * Public Key Algorithm: rsaEncryption
+ * RSA Public Key: (1024 bit)
+ * Modulus (1024 bit):
+ * 00:cb:c4:38:20:07:be:88:a7:93:b0:a1:43:51:2d:
+ * d7:8e:85:af:54:dd:ad:a2:7b:23:5b:cf:99:13:53:
+ * 99:45:7d:ee:6d:ba:2d:bf:e3:ad:6e:3d:9f:1a:f9:
+ * 03:97:e0:17:55:ae:11:26:57:de:01:29:8e:05:3f:
+ * 21:f7:e7:36:e8:2e:37:d7:48:ac:53:d6:60:0e:c7:
+ * 50:6d:f6:c5:85:f7:8b:a6:c5:91:35:72:3c:94:ee:
+ * f1:17:f0:71:e3:ec:1b:ce:ca:4e:40:42:b0:6d:ee:
+ * 6a:0e:d6:e5:ad:3c:0f:c9:ba:82:4f:78:f8:89:97:
+ * 89:2a:95:12:4c:d8:09:2a:e9
+ * Exponent: 65537 (0x10001)
+ * X509v3 extensions:
+ * X509v3 Subject Key Identifier:
+ * FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ * X509v3 Authority Key Identifier:
+ * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14
+ * DirName:/C=US/ST=Some-State/L=Some-City/O=Some-Org
+ * serial:00
+ *
+ * X509v3 Basic Constraints:
+ * CA:TRUE
+ * Signature Algorithm: md5WithRSAEncryption
+ *
+ * -----BEGIN CERTIFICATE-----
+ * MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET
+ * MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK
+ * EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ
+ * BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp
+ * dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+ * gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX
+ * 4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj
+ * 7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G
+ * A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ
+ * hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt
+ * U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw
+ * DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA
+ * ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ
+ * LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P
+ * 6Mvf0r1PNTY2hwTJLJmKtg==
+ * -----END CERTIFICATE---
+ */
+
+
+public class SunX509ExtendedTM {
+
+ /*
+ * =============================================================
+ * Set the various variables needed for the tests, then
+ * specify what tests to run on each side.
+ */
+
+ /*
+ * Should we run the client or server in a separate thread?
+ * Both sides can throw exceptions, but do you have a preference
+ * as to which side should be the main thread.
+ */
+ static boolean separateServerThread = false;
+
+ /*
+ * Where do we find the keystores?
+ */
+ static String trusedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" +
+ "gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX\n" +
+ "4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj\n" +
+ "7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G\n" +
+ "A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ\n" +
+ "hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt\n" +
+ "U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw\n" +
+ "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA\n" +
+ "ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ\n" +
+ "LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P\n" +
+ "6Mvf0r1PNTY2hwTJLJmKtg==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String serverCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICpDCCAg2gAwIBAgIBCDANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMDRaFw0yODA4MjUwMzQzMDRaMHIxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtU2VydmVyMRIwEAYD\n" +
+ "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKWsWxw3\n" +
+ "ot2ZiS2yebiP1Uil5xyEF41pnMasbfnyHR85GdrTch5u7ETMcKTcugAw9qBPPVR6\n" +
+ "YWrMV9AKf5UoGD+a2ZTyG8gkiH7+nQ89+1dTCLMgM9Q/F0cU0c3qCNgOdU6vvszS\n" +
+ "7K+peknfwtmsuCRAkKYDVirQMAVALE+r2XSJAgMBAAGjczBxMAkGA1UdEwQCMAAw\n" +
+ "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTtbtv0tVbI+xoGYT8PCLumBNgWVDAfBgNV\n" +
+ "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh\n" +
+ "bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAoqVTciHtcvsUj+YaTct8tUh3aTCsKsac\n" +
+ "PHhfQ+ObjiXSgxsKYTX7ym/wk/wvlbUcbqLKxsu7qrcJitH+H9heV1hEHEu65Uoi\n" +
+ "nRugFruyOrwvAylV8Cm2af7ddilmYJ+sdJA6N2M3xJRxR0G2LFHEXDNEjYReyexn\n" +
+ "JqCpf5uZGOo=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String clientCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICpDCCAg2gAwIBAgIBCTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +
+ "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +
+ "EwhTb21lLU9yZzAeFw0wODEyMDgwMzQzMjRaFw0yODA4MjUwMzQzMjRaMHIxCzAJ\n" +
+ "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +
+ "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD\n" +
+ "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas\n" +
+ "JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV\n" +
+ "8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq\n" +
+ "ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjczBxMAkGA1UdEwQCMAAw\n" +
+ "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV\n" +
+ "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDAXBgNVHREBAf8EDTALgglsb2Nh\n" +
+ "bGhvc3QwDQYJKoZIhvcNAQEEBQADgYEAm25gJyqW1JznQ1EyOtTGswBVwfgBOf+F\n" +
+ "HJuBTcflYQLbTD/AETPQJGvZU9tdhuLtbG3OPhR7vSY8zeAbfM3dbH7QFr3r47Gj\n" +
+ "XEH7qM/MX+Z3ifVaC4MeJmrYQkYFSuKeyyKpdRVX4w4nnFHF6OsNASsYrMW6LpxN\n" +
+ "cl/epUcHL7E=\n" +
+ "-----END CERTIFICATE-----";
+
+ static byte serverPrivateExponent[] = {
+ (byte)0x6e, (byte)0xa7, (byte)0x1b, (byte)0x83,
+ (byte)0x51, (byte)0x35, (byte)0x9a, (byte)0x44,
+ (byte)0x7d, (byte)0xf6, (byte)0xe3, (byte)0x89,
+ (byte)0xa0, (byte)0xd7, (byte)0x90, (byte)0x60,
+ (byte)0xa1, (byte)0x4e, (byte)0x27, (byte)0x21,
+ (byte)0xa2, (byte)0x89, (byte)0x74, (byte)0xcc,
+ (byte)0x9d, (byte)0x75, (byte)0x75, (byte)0x4e,
+ (byte)0xc7, (byte)0x82, (byte)0xe3, (byte)0xe3,
+ (byte)0xc3, (byte)0x7d, (byte)0x00, (byte)0x54,
+ (byte)0xec, (byte)0x36, (byte)0xb1, (byte)0xdf,
+ (byte)0x91, (byte)0x9c, (byte)0x7a, (byte)0xc0,
+ (byte)0x62, (byte)0x0a, (byte)0xd6, (byte)0xa9,
+ (byte)0x22, (byte)0x91, (byte)0x4a, (byte)0x29,
+ (byte)0x2e, (byte)0x43, (byte)0xfa, (byte)0x8c,
+ (byte)0xd8, (byte)0xe9, (byte)0xbe, (byte)0xd9,
+ (byte)0x4f, (byte)0xca, (byte)0x23, (byte)0xc6,
+ (byte)0xe4, (byte)0x3f, (byte)0xb8, (byte)0x72,
+ (byte)0xcf, (byte)0x02, (byte)0xfc, (byte)0xf4,
+ (byte)0x58, (byte)0x34, (byte)0x77, (byte)0x76,
+ (byte)0xce, (byte)0x22, (byte)0x44, (byte)0x5f,
+ (byte)0x2d, (byte)0xca, (byte)0xee, (byte)0xf5,
+ (byte)0x43, (byte)0x56, (byte)0x47, (byte)0x71,
+ (byte)0x0b, (byte)0x09, (byte)0x6b, (byte)0x5e,
+ (byte)0xf2, (byte)0xc8, (byte)0xee, (byte)0xd4,
+ (byte)0x6e, (byte)0x44, (byte)0x92, (byte)0x2a,
+ (byte)0x7f, (byte)0xcc, (byte)0xa7, (byte)0xd4,
+ (byte)0x5b, (byte)0xfb, (byte)0xf7, (byte)0x4a,
+ (byte)0xa9, (byte)0xfb, (byte)0x54, (byte)0x18,
+ (byte)0xd5, (byte)0xd5, (byte)0x14, (byte)0xba,
+ (byte)0xa0, (byte)0x1c, (byte)0x13, (byte)0xb3,
+ (byte)0x37, (byte)0x6b, (byte)0x37, (byte)0x59,
+ (byte)0xed, (byte)0xdb, (byte)0x6d, (byte)0xb1
+ };
+
+ static byte serverModulus[] = {
+ (byte)0x00,
+ (byte)0xa5, (byte)0xac, (byte)0x5b, (byte)0x1c,
+ (byte)0x37, (byte)0xa2, (byte)0xdd, (byte)0x99,
+ (byte)0x89, (byte)0x2d, (byte)0xb2, (byte)0x79,
+ (byte)0xb8, (byte)0x8f, (byte)0xd5, (byte)0x48,
+ (byte)0xa5, (byte)0xe7, (byte)0x1c, (byte)0x84,
+ (byte)0x17, (byte)0x8d, (byte)0x69, (byte)0x9c,
+ (byte)0xc6, (byte)0xac, (byte)0x6d, (byte)0xf9,
+ (byte)0xf2, (byte)0x1d, (byte)0x1f, (byte)0x39,
+ (byte)0x19, (byte)0xda, (byte)0xd3, (byte)0x72,
+ (byte)0x1e, (byte)0x6e, (byte)0xec, (byte)0x44,
+ (byte)0xcc, (byte)0x70, (byte)0xa4, (byte)0xdc,
+ (byte)0xba, (byte)0x00, (byte)0x30, (byte)0xf6,
+ (byte)0xa0, (byte)0x4f, (byte)0x3d, (byte)0x54,
+ (byte)0x7a, (byte)0x61, (byte)0x6a, (byte)0xcc,
+ (byte)0x57, (byte)0xd0, (byte)0x0a, (byte)0x7f,
+ (byte)0x95, (byte)0x28, (byte)0x18, (byte)0x3f,
+ (byte)0x9a, (byte)0xd9, (byte)0x94, (byte)0xf2,
+ (byte)0x1b, (byte)0xc8, (byte)0x24, (byte)0x88,
+ (byte)0x7e, (byte)0xfe, (byte)0x9d, (byte)0x0f,
+ (byte)0x3d, (byte)0xfb, (byte)0x57, (byte)0x53,
+ (byte)0x08, (byte)0xb3, (byte)0x20, (byte)0x33,
+ (byte)0xd4, (byte)0x3f, (byte)0x17, (byte)0x47,
+ (byte)0x14, (byte)0xd1, (byte)0xcd, (byte)0xea,
+ (byte)0x08, (byte)0xd8, (byte)0x0e, (byte)0x75,
+ (byte)0x4e, (byte)0xaf, (byte)0xbe, (byte)0xcc,
+ (byte)0xd2, (byte)0xec, (byte)0xaf, (byte)0xa9,
+ (byte)0x7a, (byte)0x49, (byte)0xdf, (byte)0xc2,
+ (byte)0xd9, (byte)0xac, (byte)0xb8, (byte)0x24,
+ (byte)0x40, (byte)0x90, (byte)0xa6, (byte)0x03,
+ (byte)0x56, (byte)0x2a, (byte)0xd0, (byte)0x30,
+ (byte)0x05, (byte)0x40, (byte)0x2c, (byte)0x4f,
+ (byte)0xab, (byte)0xd9, (byte)0x74, (byte)0x89
+ };
+
+ static byte clientPrivateExponent[] = {
+ (byte)0x11, (byte)0xb7, (byte)0x6a, (byte)0x36,
+ (byte)0x3d, (byte)0x30, (byte)0x37, (byte)0xce,
+ (byte)0x61, (byte)0x9d, (byte)0x6c, (byte)0x84,
+ (byte)0x8b, (byte)0xf3, (byte)0x9b, (byte)0x25,
+ (byte)0x4f, (byte)0x14, (byte)0xc8, (byte)0xa4,
+ (byte)0xdd, (byte)0x2f, (byte)0xd7, (byte)0x9a,
+ (byte)0x17, (byte)0xbd, (byte)0x90, (byte)0x19,
+ (byte)0xf7, (byte)0x05, (byte)0xfd, (byte)0xf2,
+ (byte)0xd2, (byte)0xc5, (byte)0xf7, (byte)0x77,
+ (byte)0xbe, (byte)0xea, (byte)0xe2, (byte)0x84,
+ (byte)0x87, (byte)0x97, (byte)0x3a, (byte)0x41,
+ (byte)0x96, (byte)0xb6, (byte)0x99, (byte)0xf8,
+ (byte)0x94, (byte)0x8c, (byte)0x58, (byte)0x71,
+ (byte)0x51, (byte)0x8c, (byte)0xf4, (byte)0x2a,
+ (byte)0x20, (byte)0x9e, (byte)0x1a, (byte)0xa0,
+ (byte)0x26, (byte)0x99, (byte)0x75, (byte)0xd6,
+ (byte)0x31, (byte)0x53, (byte)0x43, (byte)0x39,
+ (byte)0xf5, (byte)0x2a, (byte)0xa6, (byte)0x7e,
+ (byte)0x34, (byte)0x42, (byte)0x51, (byte)0x2a,
+ (byte)0x40, (byte)0x87, (byte)0x03, (byte)0x88,
+ (byte)0x43, (byte)0x69, (byte)0xb2, (byte)0x89,
+ (byte)0x6d, (byte)0x20, (byte)0xbd, (byte)0x7d,
+ (byte)0x71, (byte)0xef, (byte)0x47, (byte)0x0a,
+ (byte)0xdf, (byte)0x06, (byte)0xc1, (byte)0x69,
+ (byte)0x66, (byte)0xa8, (byte)0x22, (byte)0x37,
+ (byte)0x1a, (byte)0x77, (byte)0x1e, (byte)0xc7,
+ (byte)0x94, (byte)0x4e, (byte)0x2c, (byte)0x27,
+ (byte)0x69, (byte)0x45, (byte)0x5e, (byte)0xc8,
+ (byte)0xf8, (byte)0x0c, (byte)0xb7, (byte)0xf8,
+ (byte)0xc0, (byte)0x8f, (byte)0x99, (byte)0xc1,
+ (byte)0xe5, (byte)0x28, (byte)0x9b, (byte)0xf9,
+ (byte)0x4c, (byte)0x94, (byte)0xc6, (byte)0xb1
+ };
+
+ static byte clientModulus[] = {
+ (byte)0x00,
+ (byte)0xbb, (byte)0xf0, (byte)0x40, (byte)0x36,
+ (byte)0xac, (byte)0x26, (byte)0x54, (byte)0x4e,
+ (byte)0xf4, (byte)0xa3, (byte)0x5a, (byte)0x00,
+ (byte)0x2f, (byte)0x69, (byte)0x21, (byte)0x6f,
+ (byte)0xb9, (byte)0x7a, (byte)0x3a, (byte)0x93,
+ (byte)0xec, (byte)0xa2, (byte)0xf6, (byte)0xe1,
+ (byte)0x8e, (byte)0xc7, (byte)0x63, (byte)0xd8,
+ (byte)0x2f, (byte)0x12, (byte)0x30, (byte)0x99,
+ (byte)0x2e, (byte)0xb0, (byte)0xf2, (byte)0x8f,
+ (byte)0xf8, (byte)0x27, (byte)0x2d, (byte)0x24,
+ (byte)0x78, (byte)0x28, (byte)0x84, (byte)0xf7,
+ (byte)0x01, (byte)0xbf, (byte)0x8d, (byte)0x44,
+ (byte)0x79, (byte)0xdd, (byte)0x3b, (byte)0xd2,
+ (byte)0x55, (byte)0xf3, (byte)0xce, (byte)0x3c,
+ (byte)0xb2, (byte)0x5b, (byte)0x21, (byte)0x7d,
+ (byte)0xef, (byte)0xfd, (byte)0x33, (byte)0x4a,
+ (byte)0xb1, (byte)0xa3, (byte)0xff, (byte)0xc6,
+ (byte)0xc8, (byte)0x9b, (byte)0xb9, (byte)0x0f,
+ (byte)0x7c, (byte)0x41, (byte)0x35, (byte)0x97,
+ (byte)0xf9, (byte)0xdb, (byte)0x3a, (byte)0x05,
+ (byte)0x60, (byte)0x05, (byte)0x15, (byte)0xaf,
+ (byte)0x59, (byte)0x17, (byte)0x92, (byte)0xa3,
+ (byte)0x10, (byte)0xad, (byte)0x16, (byte)0x1c,
+ (byte)0xe4, (byte)0x07, (byte)0x53, (byte)0xaf,
+ (byte)0xa8, (byte)0x76, (byte)0xa2, (byte)0x56,
+ (byte)0x2a, (byte)0x92, (byte)0xd3, (byte)0xf9,
+ (byte)0x28, (byte)0xe0, (byte)0x78, (byte)0xcf,
+ (byte)0x5e, (byte)0x1f, (byte)0x48, (byte)0xab,
+ (byte)0x5c, (byte)0x19, (byte)0xdd, (byte)0xe1,
+ (byte)0x67, (byte)0x43, (byte)0xba, (byte)0x75,
+ (byte)0x8d, (byte)0xf5, (byte)0x82, (byte)0xac,
+ (byte)0x43, (byte)0x92, (byte)0x44, (byte)0x1b
+ };
+
+ static char passphrase[] = "passphrase".toCharArray();
+
+ /*
+ * Is the server ready to serve?
+ */
+ volatile static boolean serverReady = false;
+
+ /*
+ * Turn on SSL debugging?
+ */
+ static boolean debug = false;
+
+ /*
+ * Define the server side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doServerSide() throws Exception {
+ SSLContext context = getSSLContext(trusedCertStr, serverCertStr,
+ serverModulus, serverPrivateExponent, passphrase);
+ SSLServerSocketFactory sslssf = context.getServerSocketFactory();
+
+ SSLServerSocket sslServerSocket =
+ (SSLServerSocket) sslssf.createServerSocket(serverPort);
+ serverPort = sslServerSocket.getLocalPort();
+
+
+ // enable endpoint identification
+ // ignore, we may test the feature when known how to parse client
+ // hostname
+ //SSLParameters params = sslServerSocket.getSSLParameters();
+ //params.setEndpointIdentificationAlgorithm("HTTPS");
+ //sslServerSocket.setSSLParameters(params);
+
+ /*
+ * Signal Client, we're ready for his connect.
+ */
+ serverReady = true;
+
+ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
+ sslSocket.setNeedClientAuth(true);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslIS.read();
+ sslOS.write(85);
+ sslOS.flush();
+
+ sslSocket.close();
+
+ }
+
+ /*
+ * Define the client side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doClientSide() throws Exception {
+ /*
+ * Wait for server to get started.
+ */
+ while (!serverReady) {
+ Thread.sleep(50);
+ }
+
+ SSLContext context = getSSLContext(trusedCertStr, clientCertStr,
+ clientModulus, clientPrivateExponent, passphrase);
+
+ SSLSocketFactory sslsf = context.getSocketFactory();
+ SSLSocket sslSocket = (SSLSocket)
+ sslsf.createSocket("localhost", serverPort);
+
+ // enable endpoint identification
+ SSLParameters params = sslSocket.getSSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ sslSocket.setSSLParameters(params);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslOS.write(280);
+ sslOS.flush();
+ sslIS.read();
+
+ sslSocket.close();
+
+ }
+
+ // get the ssl context
+ private static SSLContext getSSLContext(String trusedCertStr,
+ String keyCertStr, byte[] modulus,
+ byte[] privateExponent, char[] passphrase) throws Exception {
+
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(trusedCertStr.getBytes());
+ Certificate trusedCert = cf.generateCertificate(is);
+ is.close();
+
+ // create a key store
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(null, null);
+
+ // import the trused cert
+ ks.setCertificateEntry("RSA Export Signer", trusedCert);
+
+ if (keyCertStr != null) {
+ // generate the private key.
+ RSAPrivateKeySpec priKeySpec = new RSAPrivateKeySpec(
+ new BigInteger(modulus),
+ new BigInteger(privateExponent));
+ KeyFactory kf = KeyFactory.getInstance("RSA");
+ RSAPrivateKey priKey =
+ (RSAPrivateKey)kf.generatePrivate(priKeySpec);
+
+ // generate certificate chain
+ is = new ByteArrayInputStream(keyCertStr.getBytes());
+ Certificate keyCert = cf.generateCertificate(is);
+ is.close();
+
+ Certificate[] chain = new Certificate[2];
+ chain[0] = keyCert;
+ chain[1] = trusedCert;
+
+ // import the key entry.
+ ks.setKeyEntry("Whatever", priKey, passphrase, chain);
+ }
+
+ // create SSL context
+ TrustManagerFactory tmf =
+ TrustManagerFactory.getInstance("SunX509");
+ tmf.init(ks);
+
+ TrustManager tms[] = tmf.getTrustManagers();
+ if (tms == null || tms.length == 0) {
+ throw new Exception("unexpected trust manager implementation");
+ } else {
+ if (!(tms[0] instanceof X509ExtendedTrustManager)) {
+ throw new Exception("unexpected trust manager implementation: "
+ + tms[0].getClass().getCanonicalName());
+ }
+ }
+
+
+ SSLContext ctx = SSLContext.getInstance("TLS");
+
+ if (keyCertStr != null) {
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+ kmf.init(ks, passphrase);
+
+ ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+ } else {
+ ctx.init(null, tmf.getTrustManagers(), null);
+ }
+
+ return ctx;
+ }
+
+ /*
+ * =============================================================
+ * The remainder is just support stuff
+ */
+
+ // use any free port by default
+ volatile int serverPort = 0;
+
+ volatile Exception serverException = null;
+ volatile Exception clientException = null;
+
+ public static void main(String args[]) throws Exception {
+ if (debug)
+ System.setProperty("javax.net.debug", "all");
+
+ /*
+ * Start the tests.
+ */
+ new SunX509ExtendedTM();
+ }
+
+ Thread clientThread = null;
+ Thread serverThread = null;
+ /*
+ * Primary constructor, used to drive remainder of the test.
+ *
+ * Fork off the other side, then do your work.
+ */
+ SunX509ExtendedTM() throws Exception {
+ if (separateServerThread) {
+ startServer(true);
+ startClient(false);
+ } else {
+ startClient(true);
+ startServer(false);
+ }
+
+ /*
+ * Wait for other side to close down.
+ */
+ if (separateServerThread) {
+ serverThread.join();
+ } else {
+ clientThread.join();
+ }
+
+ /*
+ * When we get here, the test is pretty much over.
+ *
+ * If the main thread excepted, that propagates back
+ * immediately. If the other thread threw an exception, we
+ * should report back.
+ */
+ if (serverException != null)
+ throw serverException;
+ if (clientException != null)
+ throw clientException;
+ }
+
+ void startServer(boolean newThread) throws Exception {
+ if (newThread) {
+ serverThread = new Thread() {
+ public void run() {
+ try {
+ doServerSide();
+ } catch (Exception e) {
+ /*
+ * Our server thread just died.
+ *
+ * Release the client, if not active already...
+ */
+ System.err.println("Server died...");
+ serverReady = true;
+ serverException = e;
+ }
+ }
+ };
+ serverThread.start();
+ } else {
+ doServerSide();
+ }
+ }
+
+ void startClient(boolean newThread) throws Exception {
+ if (newThread) {
+ clientThread = new Thread() {
+ public void run() {
+ try {
+ doClientSide();
+ } catch (Exception e) {
+ /*
+ * Our client thread just died.
+ */
+ System.err.println("Client died...");
+ clientException = e;
+ }
+ }
+ };
+ clientThread.start();
+ } else {
+ doClientSide();
+ }
+ }
+
+}
diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java
new file mode 100644
index 0000000000000000000000000000000000000000..5796abe2074b169984ce3e2bbd342c2e1ad48835
--- /dev/null
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/X509ExtendedTMEnabled.java
@@ -0,0 +1,384 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 6916074
+ * @summary Add support for TLS 1.2
+ *
+ * Ensure that the SunJSSE provider enables the X509ExtendedTrustManager.
+ */
+
+import java.io.*;
+import java.net.*;
+import javax.net.ssl.*;
+import java.security.cert.*;
+import java.security.*;
+
+public class X509ExtendedTMEnabled {
+
+ /*
+ * =============================================================
+ * Set the various variables needed for the tests, then
+ * specify what tests to run on each side.
+ */
+
+ /*
+ * Should we run the client or server in a separate thread?
+ * Both sides can throw exceptions, but do you have a preference
+ * as to which side should be the main thread.
+ */
+ static boolean separateServerThread = true;
+
+ /*
+ * Where do we find the keystores?
+ */
+ static String pathToStores = "../../../../../../../etc";
+ static String keyStoreFile = "keystore";
+ static String trustStoreFile = "truststore";
+ static String passwd = "passphrase";
+ private final static char[] cpasswd = "passphrase".toCharArray();
+
+ /*
+ * Is the server ready to serve?
+ */
+ volatile static boolean serverReady = false;
+
+ /*
+ * Turn on SSL debugging?
+ */
+ static boolean debug = false;
+
+ /*
+ * If the client or server is doing some kind of object creation
+ * that the other side depends on, and that thread prematurely
+ * exits, you may experience a hang. The test harness will
+ * terminate all hung threads after its timeout has expired,
+ * currently 3 minutes by default, but you might try to be
+ * smart about it....
+ */
+
+ /*
+ * Define the server side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doServerSide() throws Exception {
+ SSLServerSocketFactory sslssf =
+ getContext(true).getServerSocketFactory();
+ SSLServerSocket sslServerSocket =
+ (SSLServerSocket) sslssf.createServerSocket(serverPort);
+ serverPort = sslServerSocket.getLocalPort();
+
+ // enable endpoint identification
+ // ignore, we may test the feature when known how to parse client
+ // hostname
+ //SSLParameters params = sslServerSocket.getSSLParameters();
+ //params.setEndpointIdentificationAlgorithm("HTTPS");
+ //sslServerSocket.setSSLParameters(params);
+
+ /*
+ * Signal Client, we're ready for his connect.
+ */
+ serverReady = true;
+
+ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
+ sslSocket.setNeedClientAuth(true);
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslIS.read();
+ sslOS.write(85);
+ sslOS.flush();
+
+ sslSocket.close();
+
+ if (!serverTM.wasServerChecked() && serverTM.wasClientChecked()) {
+ System.out.println("SERVER TEST PASSED!");
+ } else {
+ throw new Exception("SERVER TEST FAILED! " +
+ !serverTM.wasServerChecked() + " " +
+ serverTM.wasClientChecked());
+ }
+ }
+
+ /*
+ * Define the client side of the test.
+ *
+ * If the server prematurely exits, serverReady will be set to true
+ * to avoid infinite hangs.
+ */
+ void doClientSide() throws Exception {
+
+ /*
+ * Wait for server to get started.
+ */
+ while (!serverReady) {
+ Thread.sleep(50);
+ }
+
+ SSLSocketFactory sslsf = getContext(false).getSocketFactory();
+ SSLSocket sslSocket = (SSLSocket)
+ sslsf.createSocket("localhost", serverPort);
+
+ // enable endpoint identification
+ SSLParameters params = sslSocket.getSSLParameters();
+ params.setEndpointIdentificationAlgorithm("HTTPS");
+ sslSocket.setSSLParameters(params);
+
+ InputStream sslIS = sslSocket.getInputStream();
+ OutputStream sslOS = sslSocket.getOutputStream();
+
+ sslOS.write(280);
+ sslOS.flush();
+ sslIS.read();
+
+ sslSocket.close();
+
+ if (clientTM.wasServerChecked() && !clientTM.wasClientChecked()) {
+ System.out.println("CLIENT TEST PASSED!");
+ } else {
+ throw new Exception("CLIENT TEST FAILED! " +
+ clientTM.wasServerChecked() + " " +
+ !clientTM.wasClientChecked());
+ }
+ }
+
+ MyExtendedX509TM serverTM;
+ MyExtendedX509TM clientTM;
+
+ private SSLContext getContext(boolean server) throws Exception {
+ String keyFilename =
+ System.getProperty("test.src", "./") + "/" + pathToStores +
+ "/" + keyStoreFile;
+ String trustFilename =
+ System.getProperty("test.src", "./") + "/" + pathToStores +
+ "/" + trustStoreFile;
+
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+ KeyStore ks = KeyStore.getInstance("JKS");
+ ks.load(new FileInputStream(keyFilename), cpasswd);
+ kmf.init(ks, cpasswd);
+
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+ KeyStore ts = KeyStore.getInstance("JKS");
+ ts.load(new FileInputStream(trustFilename), cpasswd);
+ tmf.init(ts);
+
+ TrustManager tms[] = tmf.getTrustManagers();
+ if (tms == null || tms.length == 0) {
+ throw new Exception("unexpected trust manager implementation");
+ } else {
+ if (!(tms[0] instanceof X509TrustManager)) {
+ throw new Exception("unexpected trust manager implementation: "
+ + tms[0].getClass().getCanonicalName());
+ }
+ }
+
+ if (server) {
+ serverTM = new MyExtendedX509TM((X509TrustManager)tms[0]);
+
+ tms = new TrustManager[] {serverTM};
+ } else {
+ clientTM = new MyExtendedX509TM((X509TrustManager)tms[0]);
+
+ tms = new TrustManager[] {clientTM};
+ }
+
+ SSLContext ctx = SSLContext.getInstance("TLS");
+ ctx.init(kmf.getKeyManagers(), tms, null);
+
+ return ctx;
+ }
+
+ static class MyExtendedX509TM extends X509ExtendedTrustManager
+ implements X509TrustManager {
+
+ X509TrustManager tm;
+
+ boolean clientChecked;
+ boolean serverChecked;
+
+ MyExtendedX509TM(X509TrustManager tm) {
+ clientChecked = false;
+ serverChecked = false;
+
+ this.tm = tm;
+ }
+
+ public boolean wasClientChecked() {
+ return clientChecked;
+ }
+
+ public boolean wasServerChecked() {
+ return serverChecked;
+ }
+
+
+ public void checkClientTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ tm.checkClientTrusted(chain, authType);
+ }
+
+ public void checkServerTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ tm.checkServerTrusted(chain, authType);
+ }
+
+ public X509Certificate[] getAcceptedIssuers() {
+ return tm.getAcceptedIssuers();
+ }
+
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ clientChecked = true;
+ tm.checkClientTrusted(chain, authType);
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ serverChecked = true;
+ tm.checkServerTrusted(chain, authType);
+ }
+
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ clientChecked = true;
+ tm.checkClientTrusted(chain, authType);
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ serverChecked = true;
+ tm.checkServerTrusted(chain, authType);
+ }
+ }
+
+ /*
+ * =============================================================
+ * The remainder is just support stuff
+ */
+
+ // use any free port by default
+ volatile int serverPort = 0;
+
+ volatile Exception serverException = null;
+ volatile Exception clientException = null;
+
+ public static void main(String[] args) throws Exception {
+
+ if (debug)
+ System.setProperty("javax.net.debug", "all");
+
+ /*
+ * Start the tests.
+ */
+ new X509ExtendedTMEnabled();
+ }
+
+ Thread clientThread = null;
+ Thread serverThread = null;
+
+ /*
+ * Primary constructor, used to drive remainder of the test.
+ *
+ * Fork off the other side, then do your work.
+ */
+ X509ExtendedTMEnabled() throws Exception {
+ if (separateServerThread) {
+ startServer(true);
+ startClient(false);
+ } else {
+ startClient(true);
+ startServer(false);
+ }
+
+ /*
+ * Wait for other side to close down.
+ */
+ if (separateServerThread) {
+ serverThread.join();
+ } else {
+ clientThread.join();
+ }
+
+ /*
+ * When we get here, the test is pretty much over.
+ *
+ * If the main thread excepted, that propagates back
+ * immediately. If the other thread threw an exception, we
+ * should report back.
+ */
+ if (serverException != null)
+ throw serverException;
+ if (clientException != null)
+ throw clientException;
+ }
+
+ void startServer(boolean newThread) throws Exception {
+ if (newThread) {
+ serverThread = new Thread() {
+ public void run() {
+ try {
+ doServerSide();
+ } catch (Exception e) {
+ /*
+ * Our server thread just died.
+ *
+ * Release the client, if not active already...
+ */
+ System.err.println("Server died...");
+ serverReady = true;
+ serverException = e;
+ }
+ }
+ };
+ serverThread.start();
+ } else {
+ doServerSide();
+ }
+ }
+
+ void startClient(boolean newThread) throws Exception {
+ if (newThread) {
+ clientThread = new Thread() {
+ public void run() {
+ try {
+ doClientSide();
+ } catch (Exception e) {
+ /*
+ * Our client thread just died.
+ */
+ System.err.println("Client died...");
+ clientException = e;
+ }
+ }
+ };
+ clientThread.start();
+ } else {
+ doClientSide();
+ }
+ }
+}
+
diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/CheckMyTrustedKeystore.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/CheckMyTrustedKeystore.java
index 817cf1d81ff2be712915ec0d10cb0522d48998f9..925be00f5cc05ac5bbdb79aa1f7f1366691b4898 100644
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/CheckMyTrustedKeystore.java
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/CheckMyTrustedKeystore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
* @bug 4329114
* @summary Need better way of reflecting the reason when a chain is
* rejected as untrusted.
+ * @ignore JSSE supports algorithm constraints with CR 6916074,
+ * need to update this test case in JDK 7 soon
* This is a serious hack job!
* @author Brad Wetmore
*/
diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Basics.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Basics.java
index 47526634e6ef72b5b5c34d251ab334c22aaa61fd..9f73c8dccf541fb95719362ee827b0b1afd01cb7 100644
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Basics.java
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/Basics.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
* @bug 4495742
* @summary Add non-blocking SSL/TLS functionality, usable with any
* I/O abstraction
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
*
* This is intended to test many of the basic API calls to the SSLEngine
* interface. This doesn't really exercise much of the SSL code.
diff --git a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
index 6b477a2bf2003eac16ad82d5ce20ae966ed5598e..9781614318ddf5de99d4aab7f71af8754bebce38 100644
--- a/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
+++ b/test/sun/security/ssl/javax/net/ssl/NewAPIs/SSLEngine/TestAllSuites.java
@@ -24,6 +24,8 @@
/*
* @test
* @bug 4495742
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
* @run main/timeout=180 TestAllSuites
* @summary Add non-blocking SSL/TLS functionality, usable with any
* I/O abstraction
diff --git a/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java b/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
index e1ff7e6464eee590623e05ccf05d0b51d996adde..41966f4fd5ae07a5a0e4b1260db1e7855862dd8b 100644
--- a/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
+++ b/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java
@@ -25,6 +25,8 @@
* @test
* @bug 4750141 4895631
* @summary Check enabled and supported ciphersuites are correct
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
*/
import java.util.*;
diff --git a/test/sun/security/ssl/sanity/interop/CipherTest.java b/test/sun/security/ssl/sanity/interop/CipherTest.java
index 99fa2e0b405e05fff03d4f4c0b88aaf88bac8caa..c7b544260ae061aa880f2c2c234156b8a2b13c4a 100644
--- a/test/sun/security/ssl/sanity/interop/CipherTest.java
+++ b/test/sun/security/ssl/sanity/interop/CipherTest.java
@@ -363,6 +363,12 @@ public class CipherTest {
}
}
+ // ignore obsoleted cipher suite for the specified protocol
+ // TODO
+
+ // ignore unsupported cipher suite for the specified protocol
+ // TODO
+
return true;
}
}
diff --git a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
index 22527a0530f5a290a25639876f0f7ca8db4ece43..74564602d007a9527943bd75fbdd08d7a4ba41aa 100644
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
* @test
* @bug 4496785
* @summary Verify that all ciphersuites work in all configurations
+ * @ignore JSSE supported cipher suites are changed with CR 6916074,
+ * need to update this test case in JDK 7 soon
* @author Andreas Sterbenz
* @run main/othervm/timeout=300 ClientJSSEServerJSSE
*/
diff --git a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressDNSIdentities.java b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressDNSIdentities.java
index 4e63013676ce0392ba28a9bf650a94641424b17d..eac73836572226304f8f4cc2ce2e75110e6b70d9 100644
--- a/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressDNSIdentities.java
+++ b/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressDNSIdentities.java
@@ -713,13 +713,16 @@ public class IPAddressDNSIdentities {
http = (HttpsURLConnection)url.openConnection();
int respCode = http.getResponseCode();
- System.out.println("respCode = "+respCode);
+ System.out.println("respCode = " + respCode);
throw new Exception("Unexpectly found subject alternative name " +
"matching IP address");
} catch (SSLHandshakeException sslhe) {
// no subject alternative names matching IP address 127.0.0.1 found
// that's the expected exception, ignore it.
+ } catch (IOException ioe) {
+ // HttpsClient may throw IOE during checking URL spoofing,
+ // that's the expected exception, ignore it.
} finally {
if (http != null) {
http.disconnect();
engine parameter is available, and the algorithm
+ * constraints of the SSLParameters is non-null, for every
+ * certificate in the certification path, fields such as subject public
+ * key, the signature algorithm, key usage, extended key usage, etc.
+ * need to conform to the algorithm constraints in place on this engine.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param engine the engine used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkServerTrusted(X509Certificate[] chain,
+ String authType, SSLEngine engine) throws CertificateException;
+
+}
diff --git a/src/share/classes/sun/net/www/protocol/https/HttpsClient.java b/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
index 14b6c63b79dd70717436f0733c5d4f3de21cccfb..24618e89b619c9b0dbf7d15217e697bc54168120 100644
--- a/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
+++ b/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -109,6 +109,10 @@ final class HttpsClient extends HttpClient
// HTTPS uses a different default port number than HTTP.
private static final int httpsPortNumber = 443;
+ // default HostnameVerifier class canonical name
+ private static final String defaultHVCanonicalName =
+ "javax.net.ssl.HttpsURLConnection.DefaultHostnameVerifier";
+
/** Returns the default HTTPS port (443) */
@Override
protected int getDefaultPort() { return httpsPortNumber; }
@@ -427,13 +431,93 @@ final class HttpsClient extends HttpClient
}
s.addHandshakeCompletedListener(this);
- // if the HostnameVerifier is not set, try to enable endpoint
- // identification during handshaking
- boolean enabledIdentification = false;
- if (hv instanceof DefaultHostnameVerifier &&
- (s instanceof SSLSocketImpl) &&
- ((SSLSocketImpl)s).trySetHostnameVerification("HTTPS")) {
- enabledIdentification = true;
+ // We have two hostname verification approaches. One is in
+ // SSL/TLS socket layer, where the algorithm is configured with
+ // SSLParameters.setEndpointIdentificationAlgorithm(), and the
+ // hostname verification is done by X509ExtendedTrustManager when
+ // the algorithm is "HTTPS". The other one is in HTTPS layer,
+ // where the algorithm is customized by
+ // HttpsURLConnection.setHostnameVerifier(), and the hostname
+ // verification is done by HostnameVerifier when the default
+ // rules for hostname verification fail.
+ //
+ // The relationship between two hostname verification approaches
+ // likes the following:
+ //
+ // | EIA algorithm
+ // +----------------------------------------------
+ // | null | HTTPS | LDAP/other |
+ // -------------------------------------------------------------
+ // | |1 |2 |3 |
+ // HNV | default | Set HTTPS EIA | use EIA | HTTPS |
+ // |--------------------------------------------------------
+ // | non - |4 |5 |6 |
+ // | default | HTTPS/HNV | use EIA | HTTPS/HNV |
+ // -------------------------------------------------------------
+ //
+ // Abbreviation:
+ // EIA: the endpoint identification algorithm in SSL/TLS
+ // socket layer
+ // HNV: the hostname verification object in HTTPS layer
+ // Notes:
+ // case 1. default HNV and EIA is null
+ // Set EIA as HTTPS, hostname check done in SSL/TLS
+ // layer.
+ // case 2. default HNV and EIA is HTTPS
+ // Use existing EIA, hostname check done in SSL/TLS
+ // layer.
+ // case 3. default HNV and EIA is other than HTTPS
+ // Use existing EIA, EIA check done in SSL/TLS
+ // layer, then do HTTPS check in HTTPS layer.
+ // case 4. non-default HNV and EIA is null
+ // No EIA, no EIA check done in SSL/TLS layer, then do
+ // HTTPS check in HTTPS layer using HNV as override.
+ // case 5. non-default HNV and EIA is HTTPS
+ // Use existing EIA, hostname check done in SSL/TLS
+ // layer. No HNV override possible. We will review this
+ // decision and may update the architecture for JDK 7.
+ // case 6. non-default HNV and EIA is other than HTTPS
+ // Use existing EIA, EIA check done in SSL/TLS layer,
+ // then do HTTPS check in HTTPS layer as override.
+ boolean needToCheckSpoofing = true;
+ String identification =
+ s.getSSLParameters().getEndpointIdentificationAlgorithm();
+ if (identification != null && identification.length() != 0) {
+ if (identification.equalsIgnoreCase("HTTPS")) {
+ // Do not check server identity again out of SSLSocket,
+ // the endpoint will be identified during TLS handshaking
+ // in SSLSocket.
+ needToCheckSpoofing = false;
+ } // else, we don't understand the identification algorithm,
+ // need to check URL spoofing here.
+ } else {
+ boolean isDefaultHostnameVerifier = false;
+
+ // We prefer to let the SSLSocket do the spoof checks, but if
+ // the application has specified a HostnameVerifier (HNV),
+ // we will always use that.
+ if (hv != null) {
+ String canonicalName = hv.getClass().getCanonicalName();
+ if (canonicalName != null &&
+ canonicalName.equalsIgnoreCase(defaultHVCanonicalName)) {
+ isDefaultHostnameVerifier = true;
+ }
+ } else {
+ // Unlikely to happen! As the behavior is the same as the
+ // default hostname verifier, so we prefer to let the
+ // SSLSocket do the spoof checks.
+ isDefaultHostnameVerifier = true;
+ }
+
+ if (isDefaultHostnameVerifier) {
+ // If the HNV is the default from HttpsURLConnection, we
+ // will do the spoof checks in SSLSocket.
+ SSLParameters paramaters = s.getSSLParameters();
+ paramaters.setEndpointIdentificationAlgorithm("HTTPS");
+ s.setSSLParameters(paramaters);
+
+ needToCheckSpoofing = false;
+ }
}
s.startHandshake();
@@ -449,7 +533,7 @@ final class HttpsClient extends HttpClient
}
// check URL spoofing if it has not been checked under handshaking
- if (!enabledIdentification) {
+ if (needToCheckSpoofing) {
checkURLSpoofing(hv);
}
} else {
@@ -463,8 +547,7 @@ final class HttpsClient extends HttpClient
// Server identity checking is done according to RFC 2818: HTTP over TLS
// Section 3.1 Server Identity
private void checkURLSpoofing(HostnameVerifier hostnameVerifier)
- throws IOException
- {
+ throws IOException {
//
// Get authenticated server name, if any
//
diff --git a/src/share/classes/sun/security/internal/interfaces/TlsMasterSecret.java b/src/share/classes/sun/security/internal/interfaces/TlsMasterSecret.java
index 4c5ba86261aa2be09fe35348c86a7c706347c9f8..f3eb222ca68549fb6efa4caa6ee54437b43711e7 100644
--- a/src/share/classes/sun/security/internal/interfaces/TlsMasterSecret.java
+++ b/src/share/classes/sun/security/internal/interfaces/TlsMasterSecret.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,8 @@ import javax.crypto.SecretKey;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
public interface TlsMasterSecret extends SecretKey {
diff --git a/src/share/classes/sun/security/internal/spec/TlsKeyMaterialParameterSpec.java b/src/share/classes/sun/security/internal/spec/TlsKeyMaterialParameterSpec.java
index b5e6a04ba659057485a2e6ef14655b1cd6802fea..80aa79a259646e095c950a98cf6201c62b14cfa5 100644
--- a/src/share/classes/sun/security/internal/spec/TlsKeyMaterialParameterSpec.java
+++ b/src/share/classes/sun/security/internal/spec/TlsKeyMaterialParameterSpec.java
@@ -39,7 +39,8 @@ import javax.crypto.SecretKey;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
@@ -50,6 +51,9 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
private final String cipherAlgorithm;
private final int cipherKeyLength, ivLength, macKeyLength;
private final int expandedCipherKeyLength; // == 0 for domestic ciphersuites
+ private final String prfHashAlg;
+ private final int prfHashLength;
+ private final int prfBlockSize;
/**
* Constructs a new TlsKeyMaterialParameterSpec.
@@ -71,6 +75,12 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
* @param ivLength the length in bytes of the initialization vector
* to be generated, or 0 if no initialization vector is required
* @param macKeyLength the length in bytes of the MAC key to be generated
+ * @param prfHashAlg the name of the TLS PRF hash algorithm to use.
+ * Used only for TLS 1.2+. TLS1.1 and earlier use a fixed PRF.
+ * @param prfHashLength the output length of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
+ * @param prfBlockSize the input block size of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
*
* @throws NullPointerException if masterSecret, clientRandom,
* serverRandom, or cipherAlgorithm are null
@@ -82,7 +92,8 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
public TlsKeyMaterialParameterSpec(SecretKey masterSecret,
int majorVersion, int minorVersion, byte[] clientRandom,
byte[] serverRandom, String cipherAlgorithm, int cipherKeyLength,
- int expandedCipherKeyLength, int ivLength, int macKeyLength) {
+ int expandedCipherKeyLength, int ivLength, int macKeyLength,
+ String prfHashAlg, int prfHashLength, int prfBlockSize) {
if (masterSecret.getAlgorithm().equals("TlsMasterSecret") == false) {
throw new IllegalArgumentException("Not a TLS master secret");
}
@@ -101,6 +112,9 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
this.expandedCipherKeyLength = checkSign(expandedCipherKeyLength);
this.ivLength = checkSign(ivLength);
this.macKeyLength = checkSign(macKeyLength);
+ this.prfHashAlg = prfHashAlg;
+ this.prfHashLength = prfHashLength;
+ this.prfBlockSize = prfBlockSize;
}
private static int checkSign(int k) {
@@ -216,4 +230,30 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
return macKeyLength;
}
+ /**
+ * Obtains the PRF hash algorithm to use in the PRF calculation.
+ *
+ * @return the hash algorithm.
+ */
+ public String getPRFHashAlg() {
+ return prfHashAlg;
+ }
+
+ /**
+ * Obtains the length of the PRF hash algorithm.
+ *
+ * @return the hash algorithm length.
+ */
+ public int getPRFHashLength() {
+ return prfHashLength;
+ }
+
+ /**
+ * Obtains the block size of the PRF hash algorithm.
+ *
+ * @return the hash algorithm block size
+ */
+ public int getPRFBlockSize() {
+ return prfBlockSize;
+ }
}
diff --git a/src/share/classes/sun/security/internal/spec/TlsKeyMaterialSpec.java b/src/share/classes/sun/security/internal/spec/TlsKeyMaterialSpec.java
index d92b9ad907164ef38e49420327032040e7316c16..d1204962881ed9ef2fa4ddfc3df339f54345ba0b 100644
--- a/src/share/classes/sun/security/internal/spec/TlsKeyMaterialSpec.java
+++ b/src/share/classes/sun/security/internal/spec/TlsKeyMaterialSpec.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,7 +39,8 @@ import javax.crypto.spec.IvParameterSpec;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
public class TlsKeyMaterialSpec implements KeySpec, SecretKey {
@@ -80,7 +81,8 @@ public class TlsKeyMaterialSpec implements KeySpec, SecretKey {
*/
public TlsKeyMaterialSpec(SecretKey clientMacKey, SecretKey serverMacKey,
SecretKey clientCipherKey, SecretKey serverCipherKey) {
- this(clientMacKey, serverMacKey, clientCipherKey, null, serverCipherKey, null);
+ this(clientMacKey, serverMacKey, clientCipherKey, null,
+ serverCipherKey, null);
}
/**
diff --git a/src/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java b/src/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
index 1abf9e6525af3c572e41279e57765ed7464cd3c0..832b38edd76e71773e6fe8bf9905a27dfc403035 100644
--- a/src/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
+++ b/src/share/classes/sun/security/internal/spec/TlsMasterSecretParameterSpec.java
@@ -39,7 +39,8 @@ import javax.crypto.SecretKey;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
@@ -47,6 +48,9 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
private final SecretKey premasterSecret;
private final int majorVersion, minorVersion;
private final byte[] clientRandom, serverRandom;
+ private final String prfHashAlg;
+ private final int prfHashLength;
+ private final int prfBlockSize;
/**
* Constructs a new TlsMasterSecretParameterSpec.
@@ -60,6 +64,12 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
* @param minorVersion the minor number of the protocol version
* @param clientRandom the client's random value
* @param serverRandom the server's random value
+ * @param prfHashAlg the name of the TLS PRF hash algorithm to use.
+ * Used only for TLS 1.2+. TLS1.1 and earlier use a fixed PRF.
+ * @param prfHashLength the output length of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
+ * @param prfBlockSize the input block size of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
*
* @throws NullPointerException if premasterSecret, clientRandom,
* or serverRandom are null
@@ -68,7 +78,8 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
*/
public TlsMasterSecretParameterSpec(SecretKey premasterSecret,
int majorVersion, int minorVersion,
- byte[] clientRandom, byte[] serverRandom) {
+ byte[] clientRandom, byte[] serverRandom,
+ String prfHashAlg, int prfHashLength, int prfBlockSize) {
if (premasterSecret == null) {
throw new NullPointerException("premasterSecret must not be null");
}
@@ -77,6 +88,9 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
this.minorVersion = checkVersion(minorVersion);
this.clientRandom = clientRandom.clone();
this.serverRandom = serverRandom.clone();
+ this.prfHashAlg = prfHashAlg;
+ this.prfHashLength = prfHashLength;
+ this.prfBlockSize = prfBlockSize;
}
static int checkVersion(int version) {
@@ -132,4 +146,30 @@ public class TlsMasterSecretParameterSpec implements AlgorithmParameterSpec {
return serverRandom.clone();
}
+ /**
+ * Obtains the PRF hash algorithm to use in the PRF calculation.
+ *
+ * @return the hash algorithm.
+ */
+ public String getPRFHashAlg() {
+ return prfHashAlg;
+ }
+
+ /**
+ * Obtains the length of the PRF hash algorithm.
+ *
+ * @return the hash algorithm length.
+ */
+ public int getPRFHashLength() {
+ return prfHashLength;
+ }
+
+ /**
+ * Obtains the block size of the PRF hash algorithm.
+ *
+ * @return the hash algorithm block size.
+ */
+ public int getPRFBlockSize() {
+ return prfBlockSize;
+ }
}
diff --git a/src/share/classes/sun/security/internal/spec/TlsPrfParameterSpec.java b/src/share/classes/sun/security/internal/spec/TlsPrfParameterSpec.java
index 0d4e381280c7cb9a1fc345224bd8ca36a17b519c..5958663bcf7bc53f122f213286361145debc95c6 100644
--- a/src/share/classes/sun/security/internal/spec/TlsPrfParameterSpec.java
+++ b/src/share/classes/sun/security/internal/spec/TlsPrfParameterSpec.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,8 @@ import javax.crypto.SecretKey;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
@@ -47,6 +48,9 @@ public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
private final String label;
private final byte[] seed;
private final int outputLength;
+ private final String prfHashAlg;
+ private final int prfHashLength;
+ private final int prfBlockSize;
/**
* Constructs a new TlsPrfParameterSpec.
@@ -55,11 +59,19 @@ public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
* @param label the label to use in the calculation
* @param seed the random seed to use in the calculation
* @param outputLength the length in bytes of the output key to be produced
+ * @param prfHashAlg the name of the TLS PRF hash algorithm to use.
+ * Used only for TLS 1.2+. TLS1.1 and earlier use a fixed PRF.
+ * @param prfHashLength the output length of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
+ * @param prfBlockSize the input block size of the TLS PRF hash algorithm.
+ * Used only for TLS 1.2+.
*
* @throws NullPointerException if label or seed is null
* @throws IllegalArgumentException if outputLength is negative
*/
- public TlsPrfParameterSpec(SecretKey secret, String label, byte[] seed, int outputLength) {
+ public TlsPrfParameterSpec(SecretKey secret, String label,
+ byte[] seed, int outputLength,
+ String prfHashAlg, int prfHashLength, int prfBlockSize) {
if ((label == null) || (seed == null)) {
throw new NullPointerException("label and seed must not be null");
}
@@ -70,6 +82,9 @@ public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
this.label = label;
this.seed = seed.clone();
this.outputLength = outputLength;
+ this.prfHashAlg = prfHashAlg;
+ this.prfHashLength = prfHashLength;
+ this.prfBlockSize = prfBlockSize;
}
/**
@@ -110,4 +125,33 @@ public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
return outputLength;
}
+ /**
+ * Obtains the PRF hash algorithm to use in the PRF calculation.
+ *
+ * @return the hash algorithm, or null if no algorithm was specified.
+ */
+ public String getPRFHashAlg() {
+ return prfHashAlg;
+ }
+
+ /**
+ * Obtains the length of PRF hash algorithm.
+ *
+ * It would have been preferred to use MessageDigest.getDigestLength(),
+ * but the API does not require implementations to support the method.
+ *
+ * @return the hash algorithm length.
+ */
+ public int getPRFHashLength() {
+ return prfHashLength;
+ }
+
+ /**
+ * Obtains the length of PRF hash algorithm.
+ *
+ * @return the hash algorithm length.
+ */
+ public int getPRFBlockSize() {
+ return prfBlockSize;
+ }
}
diff --git a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java
index 42ba7d7a82648d5e16357beebcc75d3bc27e43f4..7ff1d7ff80fde64952280cfc20b0c2c7ccf47137 100644
--- a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java
+++ b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -36,10 +36,12 @@ import java.security.spec.AlgorithmParameterSpec;
*
* @since 1.6
* @author Andreas Sterbenz
- * @deprecated Sun JDK internal use only --- WILL BE REMOVED in Dolphin (JDK 7)
+ * @deprecated Sun JDK internal use only --- WILL BE REMOVED in a future
+ * release.
*/
@Deprecated
-public class TlsRsaPremasterSecretParameterSpec implements AlgorithmParameterSpec {
+public class TlsRsaPremasterSecretParameterSpec
+ implements AlgorithmParameterSpec {
private final int majorVersion;
private final int minorVersion;
@@ -58,10 +60,12 @@ public class TlsRsaPremasterSecretParameterSpec implements AlgorithmParameterSpe
* @throws IllegalArgumentException if minorVersion or majorVersion are
* negative or larger than 255
*/
- public TlsRsaPremasterSecretParameterSpec(int majorVersion, int minorVersion) {
- this.majorVersion = TlsMasterSecretParameterSpec.checkVersion(majorVersion);
- this.minorVersion = TlsMasterSecretParameterSpec.checkVersion(minorVersion);
- }
+ public TlsRsaPremasterSecretParameterSpec(int majorVersion,
+ int minorVersion) {
+ this.majorVersion =
+ TlsMasterSecretParameterSpec.checkVersion(majorVersion);
+ this.minorVersion =
+ TlsMasterSecretParameterSpec.checkVersion(minorVersion); }
/**
* Returns the major version.
diff --git a/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/share/classes/sun/security/pkcs11/SunPKCS11.java
index 95be485b58a0a2fcef677e09bb46eb1287822e57..33691f87ef725f7c5a20788af6fc8b82f0d2e135 100644
--- a/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -655,6 +655,25 @@ public final class SunPKCS11 extends AuthProvider {
d(SIG, "SHA512withRSA", P11Signature,
m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ /*
+ * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the
+ * PRF calculations. As of 2010, there is no PKCS11-level
+ * support for TLS 1.2 PRF calculations, and no known OS's have
+ * an internal variant we could use. Therefore for TLS 1.2, we
+ * are updating JSSE to request different provider algorithms
+ * (e.g. "SunTls12Prf"), and currently only SunJCE has these
+ * TLS 1.2 algorithms.
+ *
+ * If we reused the names such as "SunTlsPrf", the PKCS11
+ * providers would need be updated to fail correctly when
+ * presented with the wrong version number (via
+ * Provider.Service.supportsParameters()), and we would also
+ * need to add the appropriate supportsParamters() checks into
+ * KeyGenerators (not currently there).
+ *
+ * In the future, if PKCS11 support is added, we will restructure
+ * this.
+ */
d(KG, "SunTlsRsaPremasterSecret",
"sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN));
@@ -887,7 +906,8 @@ public final class SunPKCS11 extends AuthProvider {
return (aliases == null) ? null : Arrays.asList(aliases);
}
- public Object newInstance(Object param) throws NoSuchAlgorithmException {
+ public Object newInstance(Object param)
+ throws NoSuchAlgorithmException {
if (token.isValid() == false) {
throw new NoSuchAlgorithmException("Token has been removed");
}
diff --git a/src/share/classes/sun/security/rsa/RSASignature.java b/src/share/classes/sun/security/rsa/RSASignature.java
index 5f02bf4ffcd8584887fbd85edc55d8db314dd638..74a42c0a3f5bfb6497dc151816285cf9e527f4fc 100644
--- a/src/share/classes/sun/security/rsa/RSASignature.java
+++ b/src/share/classes/sun/security/rsa/RSASignature.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -49,7 +49,7 @@ import sun.security.x509.AlgorithmId;
public abstract class RSASignature extends SignatureSpi {
// we sign an ASN.1 SEQUENCE of AlgorithmId and digest
- // it has the form 30:xx:30:0c:[digestOID]:05:00:04:xx:[digest]
+ // it has the form 30:xx:30:xx:[digestOID]:05:00:04:xx:[digest]
// this means the encoded length is (8 + digestOID.length + digest.length)
private static final int baseLength = 8;
@@ -104,7 +104,8 @@ public abstract class RSASignature extends SignatureSpi {
// initialize for signing. See JCA doc
protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
throws InvalidKeyException {
- RSAPrivateKey rsaKey = (RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
+ RSAPrivateKey rsaKey =
+ (RSAPrivateKey)RSAKeyFactory.toRSAKey(privateKey);
this.privateKey = rsaKey;
this.publicKey = null;
initCommon(rsaKey, random);
@@ -212,7 +213,8 @@ public abstract class RSASignature extends SignatureSpi {
DerOutputStream out = new DerOutputStream();
new AlgorithmId(oid).encode(out);
out.putOctetString(digest);
- DerValue result = new DerValue(DerValue.tag_Sequence, out.toByteArray());
+ DerValue result =
+ new DerValue(DerValue.tag_Sequence, out.toByteArray());
return result.toByteArray();
}
@@ -229,7 +231,8 @@ public abstract class RSASignature extends SignatureSpi {
}
AlgorithmId algId = AlgorithmId.parse(values[0]);
if (algId.getOID().equals(oid) == false) {
- throw new IOException("ObjectIdentifier mismatch: " + algId.getOID());
+ throw new IOException("ObjectIdentifier mismatch: "
+ + algId.getOID());
}
if (algId.getEncodedParams() != null) {
throw new IOException("Unexpected AlgorithmId parameters");
diff --git a/src/share/classes/sun/security/ssl/CipherSuite.java b/src/share/classes/sun/security/ssl/CipherSuite.java
index ce739a67d876e6ea6395da544cd812df6534b10d..247e34d5e11810ce566f234be4cd997e60db3c21 100644
--- a/src/share/classes/sun/security/ssl/CipherSuite.java
+++ b/src/share/classes/sun/security/ssl/CipherSuite.java
@@ -38,6 +38,7 @@ import javax.crypto.spec.SecretKeySpec;
import sun.security.ssl.CipherSuite.*;
import static sun.security.ssl.CipherSuite.KeyExchange.*;
+import static sun.security.ssl.CipherSuite.PRF.*;
import static sun.security.ssl.JsseJce.*;
/**
@@ -102,12 +103,15 @@ final class CipherSuite implements Comparable {
// by default
final int priority;
- // key exchange, bulk cipher, and mac algorithms. See those classes below.
+ // key exchange, bulk cipher, mac and prf algorithms. See those
+ // classes below.
final KeyExchange keyExchange;
final BulkCipher cipher;
final MacAlg macAlg;
+ final PRF prfAlg;
// whether a CipherSuite qualifies as exportable under 512/40 bit rules.
+ // TLS 1.1+ (RFC 4346) must not negotiate to these suites.
final boolean exportable;
// true iff implemented and enabled at compile time
@@ -116,9 +120,15 @@ final class CipherSuite implements Comparable {
// obsoleted since protocol version
final int obsoleted;
+ // supported since protocol version
+ final int supported;
+
+ /**
+ * Constructor for implemented CipherSuites.
+ */
private CipherSuite(String name, int id, int priority,
KeyExchange keyExchange, BulkCipher cipher,
- boolean allowed, int obsoleted) {
+ boolean allowed, int obsoleted, int supported, PRF prfAlg) {
this.name = name;
this.id = id;
this.priority = priority;
@@ -129,6 +139,10 @@ final class CipherSuite implements Comparable {
macAlg = M_MD5;
} else if (name.endsWith("_SHA")) {
macAlg = M_SHA;
+ } else if (name.endsWith("_SHA256")) {
+ macAlg = M_SHA256;
+ } else if (name.endsWith("_SHA384")) {
+ macAlg = M_SHA384;
} else if (name.endsWith("_NULL")) {
macAlg = M_NULL;
} else if (name.endsWith("_SCSV")) {
@@ -142,8 +156,13 @@ final class CipherSuite implements Comparable {
allowed &= cipher.allowed;
this.allowed = allowed;
this.obsoleted = obsoleted;
+ this.supported = supported;
+ this.prfAlg = prfAlg;
}
+ /**
+ * Constructor for unimplemented CipherSuites.
+ */
private CipherSuite(String name, int id) {
this.name = name;
this.id = id;
@@ -155,6 +174,8 @@ final class CipherSuite implements Comparable {
this.macAlg = null;
this.exportable = false;
this.obsoleted = ProtocolVersion.LIMIT_MAX_VALUE;
+ this.supported = ProtocolVersion.LIMIT_MIN_VALUE;
+ this.prfAlg = P_NONE;
}
/**
@@ -236,12 +257,17 @@ final class CipherSuite implements Comparable {
return nameMap.values();
}
+ /*
+ * Use this method when all of the values need to be specified.
+ * This is primarily used when defining a new ciphersuite for
+ * TLS 1.2+ that doesn't use the "default" PRF.
+ */
private static void add(String name, int id, int priority,
KeyExchange keyExchange, BulkCipher cipher,
- boolean allowed, int obsoleted) {
+ boolean allowed, int obsoleted, int supported, PRF prf) {
CipherSuite c = new CipherSuite(name, id, priority, keyExchange,
- cipher, allowed, obsoleted);
+ cipher, allowed, obsoleted, supported, prf);
if (idMap.put(id, c) != null) {
throw new RuntimeException("Duplicate ciphersuite definition: "
+ id + ", " + name);
@@ -254,12 +280,41 @@ final class CipherSuite implements Comparable {
}
}
+ /*
+ * Use this method when there is no lower protocol limit where this
+ * suite can be used, and the PRF is P_SHA256. That is, the
+ * existing ciphersuites. From RFC 5246:
+ *
+ * All cipher suites in this document use P_SHA256.
+ */
+ private static void add(String name, int id, int priority,
+ KeyExchange keyExchange, BulkCipher cipher,
+ boolean allowed, int obsoleted) {
+ // If this is an obsoleted suite, then don't let the TLS 1.2
+ // protocol have a valid PRF value.
+ PRF prf = P_SHA256;
+ if (obsoleted < ProtocolVersion.TLS12.v) {
+ prf = P_NONE;
+ }
+
+ add(name, id, priority, keyExchange, cipher, allowed, obsoleted,
+ ProtocolVersion.LIMIT_MIN_VALUE, prf);
+ }
+
+ /*
+ * Use this method when there is no upper protocol limit. That is,
+ * suites which have not been obsoleted.
+ */
private static void add(String name, int id, int priority,
KeyExchange keyExchange, BulkCipher cipher, boolean allowed) {
add(name, id, priority, keyExchange,
cipher, allowed, ProtocolVersion.LIMIT_MAX_VALUE);
}
+ /*
+ * Use this method to define an unimplemented suite. This provides
+ * a number<->name mapping that can be used for debugging.
+ */
private static void add(String name, int id) {
CipherSuite c = new CipherSuite(name, id);
if (idMap.put(id, c) != null) {
@@ -459,7 +514,7 @@ final class CipherSuite implements Comparable {
/**
* An SSL/TLS key MAC algorithm.
*
- * Also contains a factory method to obtain in initialized MAC
+ * Also contains a factory method to obtain an initialized MAC
* for this algorithm.
*/
final static class MacAlg {
@@ -519,6 +574,48 @@ final class CipherSuite implements Comparable {
final static MacAlg M_NULL = new MacAlg("NULL", 0);
final static MacAlg M_MD5 = new MacAlg("MD5", 16);
final static MacAlg M_SHA = new MacAlg("SHA", 20);
+ final static MacAlg M_SHA256 = new MacAlg("SHA256", 32);
+ final static MacAlg M_SHA384 = new MacAlg("SHA384", 48);
+
+ // PRFs (PseudoRandom Function) from TLS specifications.
+ //
+ // TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for generating
+ // the necessary material.
+ //
+ // In TLS 1.2+, all existing/known CipherSuites use SHA256, however
+ // new Ciphersuites (e.g. RFC 5288) can define specific PRF hash
+ // algorithms.
+ static enum PRF {
+
+ // PRF algorithms
+ P_NONE( "NONE", 0, 0),
+ P_SHA256("SHA-256", 32, 64),
+ P_SHA384("SHA-384", 48, 128),
+ P_SHA512("SHA-512", 64, 128); // not currently used.
+
+ // PRF characteristics
+ private final String prfHashAlg;
+ private final int prfHashLength;
+ private final int prfBlockSize;
+
+ PRF(String prfHashAlg, int prfHashLength, int prfBlockSize) {
+ this.prfHashAlg = prfHashAlg;
+ this.prfHashLength = prfHashLength;
+ this.prfBlockSize = prfBlockSize;
+ }
+
+ String getPRFHashAlg() {
+ return prfHashAlg;
+ }
+
+ int getPRFHashLength() {
+ return prfHashLength;
+ }
+
+ int getPRFBlockSize() {
+ return prfBlockSize;
+ }
+ }
static {
idMap = new HashMap
+ * HandshakeHash hh = new HandshakeHash(...)
+ * hh.update(clientHelloBytes);
+ * hh.setFinishedAlg("SHA-256");
+ * hh.update(serverHelloBytes);
+ * ...
+ * hh.setCertificateVerifyAlg("SHA-384");
+ * hh.update(CertificateVerifyBytes);
+ * byte[] cvDigest = hh.getCertificateVerifyHash();
+ * ...
+ * hh.update(finished1);
+ * byte[] finDigest1 = hh.getFinishedHash();
+ * hh.update(finished2);
+ * byte[] finDigest2 = hh.getFinishedHash();
+ *
+ * If no CertificateVerify message is to be used, call
+ *
+ * hh.setCertificateVerifyAlg(null);
+ *
+ * This call can be made once you are certain that this message
+ * will never be used.
*/
final class HandshakeHash {
- private final MessageDigest md5, sha;
+ // Common
+
+ // -1: unknown
+ // 1: <=TLS 1.1
+ // 2: TLS 1.2
+ private int version = -1;
+ private ByteArrayOutputStream data = new ByteArrayOutputStream();
+ private final boolean isServer;
+
+ // For TLS 1.1
+ private MessageDigest md5, sha;
+ private final int clonesNeeded; // needs to be saved for later use
+
+ // For TLS 1.2
+ // cvAlgDetermined == true means setCertificateVerifyAlg() is called
+ private boolean cvAlgDetermined = false;
+ private String cvAlg;
+ private MessageDigest finMD;
/**
* Create a new HandshakeHash. needCertificateVerify indicates whether
- * a hash for the certificate verify message is required.
+ * a hash for the certificate verify message is required. The argument
+ * algs is a set of all possible hash algorithms that might be used in
+ * TLS 1.2. If the caller is sure that TLS 1.2 won't be used or no
+ * CertificateVerify message will be used, leave it null or empty.
*/
- HandshakeHash(boolean needCertificateVerify) {
- int n = needCertificateVerify ? 3 : 2;
- try {
- md5 = CloneableDigest.getDigest("MD5", n);
- sha = CloneableDigest.getDigest("SHA", n);
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException
- ("Algorithm MD5 or SHA not available", e);
-
- }
- }
-
- void update(byte b) {
- md5.update(b);
- sha.update(b);
+ HandshakeHash(boolean isServer, boolean needCertificateVerify,
+ SetRunnable task for
* this SSLEngine.
@@ -1629,6 +1644,9 @@ final public class SSLEngineImpl extends SSLEngine {
inboundDone = true;
sess.invalidate();
+ if (handshakeSession != null) {
+ handshakeSession.invalidate();
+ }
/*
* If we haven't even started handshaking yet, no need
@@ -1971,7 +1989,7 @@ final public class SSLEngineImpl extends SSLEngine {
/**
* Returns the protocols that are supported by this implementation.
* A subset of the supported protocols may be enabled for this connection
- * @ returns an array of protocol names.
+ * @return an array of protocol names.
*/
public String[] getSupportedProtocols() {
return ProtocolList.getSupported().toStringArray();
@@ -1998,28 +2016,31 @@ final public class SSLEngineImpl extends SSLEngine {
}
/**
- * Try to configure the endpoint identification algorithm of the engine.
- *
- * @param identificationAlgorithm the algorithm used to check the
- * endpoint identity.
- * @return true if the identification algorithm configuration success.
+ * Returns the SSLParameters in effect for this SSLEngine.
*/
- synchronized public boolean trySetHostnameVerification(
- String identificationAlgorithm) {
- if (sslContext.getX509TrustManager() instanceof
- X509ExtendedTrustManager) {
- this.identificationAlg = identificationAlgorithm;
- return true;
- } else {
- return false;
- }
+ synchronized public SSLParameters getSSLParameters() {
+ SSLParameters params = super.getSSLParameters();
+
+ // the super implementation does not handle the following parameters
+ params.setEndpointIdentificationAlgorithm(identificationProtocol);
+ params.setAlgorithmConstraints(algorithmConstraints);
+
+ return params;
}
/**
- * Returns the endpoint identification algorithm of the engine.
+ * Applies SSLParameters to this engine.
*/
- synchronized public String getHostnameVerification() {
- return identificationAlg;
+ synchronized public void setSSLParameters(SSLParameters params) {
+ super.setSSLParameters(params);
+
+ // the super implementation does not handle the following parameters
+ identificationProtocol = params.getEndpointIdentificationAlgorithm();
+ algorithmConstraints = params.getAlgorithmConstraints();
+ if ((handshaker != null) && !handshaker.started()) {
+ handshaker.setIdentificationProtocol(identificationProtocol);
+ handshaker.setAlgorithmConstraints(algorithmConstraints);
+ }
}
/**
diff --git a/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java b/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
index ca5fd29487f9a56e631577a6689dceefc6ca2e0d..0ea3cfa9fbad805ca31047132bbc12405ddc32bb 100644
--- a/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
@@ -31,11 +31,14 @@ import java.net.InetAddress;
import java.net.Socket;
import java.net.ServerSocket;
+import java.security.AlgorithmConstraints;
+
import java.util.*;
import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLParameters;
/**
@@ -83,6 +86,12 @@ class SSLServerSocketImpl extends SSLServerSocket
/* could enabledCipherSuites ever complete handshaking? */
private boolean checkedEnabled = false;
+ // the endpoint identification protocol to use by default
+ private String identificationProtocol = null;
+
+ // The cryptographic algorithm constraints
+ private AlgorithmConstraints algorithmConstraints = null;
+
/**
* Create an SSL server socket on a port, using a non-default
* authentication context and a specified connection backlog.
@@ -272,6 +281,30 @@ class SSLServerSocketImpl extends SSLServerSocket
return enableSessionCreation;
}
+ /**
+ * Returns the SSLParameters in effect for newly accepted connections.
+ */
+ synchronized public SSLParameters getSSLParameters() {
+ SSLParameters params = super.getSSLParameters();
+
+ // the super implementation does not handle the following parameters
+ params.setEndpointIdentificationAlgorithm(identificationProtocol);
+ params.setAlgorithmConstraints(algorithmConstraints);
+
+ return params;
+ }
+
+ /**
+ * Applies SSLParameters to newly accepted connections.
+ */
+ synchronized public void setSSLParameters(SSLParameters params) {
+ super.setSSLParameters(params);
+
+ // the super implementation does not handle the following parameters
+ identificationProtocol = params.getEndpointIdentificationAlgorithm();
+ algorithmConstraints = params.getAlgorithmConstraints();
+ }
+
/**
* Accept a new SSL connection. This server identifies itself with
* information provided in the authentication context which was
@@ -280,7 +313,7 @@ class SSLServerSocketImpl extends SSLServerSocket
public Socket accept() throws IOException {
SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode,
enabledCipherSuites, doClientAuth, enableSessionCreation,
- enabledProtocols);
+ enabledProtocols, identificationProtocol, algorithmConstraints);
implAccept(s);
s.doneConnect();
diff --git a/src/share/classes/sun/security/ssl/SSLSessionImpl.java b/src/share/classes/sun/security/ssl/SSLSessionImpl.java
index f885c83cb664788da03f73c819500f41650c758a..05288538e6c2d03a8bb8d7b2942878b13c27fbb3 100644
--- a/src/share/classes/sun/security/ssl/SSLSessionImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLSessionImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,8 @@ import java.net.*;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
+import java.util.Arrays;
+import java.util.Collection;
import java.security.Principal;
import java.security.PrivateKey;
@@ -47,6 +49,8 @@ import javax.net.ssl.SSLSessionBindingEvent;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLPermission;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.ExtendedSSLSession;
import javax.security.auth.x500.X500Principal;
@@ -71,7 +75,7 @@ import static sun.security.ssl.CipherSuite.KeyExchange.*;
*
* @author David Brownell
*/
-final class SSLSessionImpl implements SSLSession {
+final class SSLSessionImpl extends ExtendedSSLSession {
/*
* we only really need a single null session
@@ -89,7 +93,7 @@ final class SSLSessionImpl implements SSLSession {
private final SessionId sessionId;
private X509Certificate[] peerCerts;
private byte compressionMethod;
- private final CipherSuite cipherSuite;
+ private CipherSuite cipherSuite;
private SecretKey masterSecret;
/*
@@ -105,6 +109,8 @@ final class SSLSessionImpl implements SSLSession {
private boolean invalidated;
private X509Certificate[] localCerts;
private PrivateKey localPrivateKey;
+ private String[] localSupportedSignAlgs;
+ private String[] peerSupportedSignAlgs;
// Principals for non-certificate based cipher suites
private Principal peerPrincipal;
@@ -132,8 +138,8 @@ final class SSLSessionImpl implements SSLSession {
* first opened and before handshaking begins.
*/
private SSLSessionImpl() {
- this(ProtocolVersion.NONE, CipherSuite.C_NULL,
- new SessionId(false, null), null, -1);
+ this(ProtocolVersion.NONE, CipherSuite.C_NULL, null,
+ new SessionId(false, null), null, -1);
}
/*
@@ -142,8 +148,9 @@ final class SSLSessionImpl implements SSLSession {
* is intended mostly for use by serves.
*/
SSLSessionImpl(ProtocolVersion protocolVersion, CipherSuite cipherSuite,
+ Collection