8164846: CertificateException missing cause of underlying exception

Reviewed-by: xuelei

8164846: CertificateException missing cause of underlying exception
Reviewed-by: xuelei
77f696cb · coffeys · be4d0ba8 · 77f696cb · 77f696cb
2 changed file
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -1115,7 +1115,7 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
            }
        } catch (CertPathValidatorException cpve) {
            throw new CertificateException(
-                "Certificates does not conform to algorithm constraints");
+                "Certificates do not conform to algorithm constraints", cpve);
        }
    }
 }

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/TrustTrustedCert.java
@@ -30,12 +30,13 @@

 /*
 * @test
- * @bug 7113275
+ * @bug 7113275 8164846
 * @summary compatibility issue with MD2 trust anchor and old X509TrustManager
- * @run main/othervm TrustTrustedCert PKIX TLSv1.1
- * @run main/othervm TrustTrustedCert SunX509 TLSv1.1
- * @run main/othervm TrustTrustedCert PKIX TLSv1.2
- * @run main/othervm TrustTrustedCert SunX509 TLSv1.2
+ * @run main/othervm TrustTrustedCert PKIX TLSv1.1 true
+ * @run main/othervm TrustTrustedCert PKIX TLSv1.1 false
+ * @run main/othervm TrustTrustedCert SunX509 TLSv1.1 false
+ * @run main/othervm TrustTrustedCert PKIX TLSv1.2 false
+ * @run main/othervm TrustTrustedCert SunX509 TLSv1.2 false
 */

 import java.net.*;
@@ -181,23 +182,32 @@ public class TrustTrustedCert {
            Thread.sleep(50);
        }

-        SSLContext context = generateSSLContext();
-        SSLSocketFactory sslsf = context.getSocketFactory();
-
-        SSLSocket sslSocket =
-            (SSLSocket)sslsf.createSocket("localhost", serverPort);
-
-        // enable the specified TLS protocol
-        sslSocket.setEnabledProtocols(new String[] {tlsProtocol});
-
-        InputStream sslIS = sslSocket.getInputStream();
-        OutputStream sslOS = sslSocket.getOutputStream();
-
-        sslOS.write('B');
-        sslOS.flush();
-        sslIS.read();
-
-        sslSocket.close();
+        SSLSocket sslSocket = null;
+        try {
+            SSLContext context = generateSSLContext();
+            SSLSocketFactory sslsf = context.getSocketFactory();
+
+            sslSocket = (SSLSocket)sslsf.createSocket("localhost", serverPort);
+
+            // enable the specified TLS protocol
+            sslSocket.setEnabledProtocols(new String[] {tlsProtocol});
+
+            InputStream sslIS = sslSocket.getInputStream();
+            OutputStream sslOS = sslSocket.getOutputStream();
+            sslOS.write('B');
+            sslOS.flush();
+            sslIS.read();
+        } catch (SSLHandshakeException e) {
+            // focus in on the CertPathValidatorException
+            Throwable t = e.getCause().getCause();
+            if ((t == null) || (expectFail &&
+                !t.toString().contains("MD5withRSA"))) {
+                throw new RuntimeException(
+                    "Expected to see MD5withRSA in exception output " + t);
+            }
+        } finally {
+            if (sslSocket != null) sslSocket.close();
+        }
    }

    /*
@@ -206,10 +216,13 @@ public class TrustTrustedCert {
     */
    private static String tmAlgorithm;        // trust manager
    private static String tlsProtocol;        // trust manager
+    // set this flag to test context of CertificateException
+    private static boolean expectFail;

    private static void parseArguments(String[] args) {
        tmAlgorithm = args[0];
        tlsProtocol = args[1];
+        expectFail = Boolean.parseBoolean(args[2]);
    }

    private static SSLContext generateSSLContext() throws Exception {
@@ -232,7 +245,7 @@ public class TrustTrustedCert {

        // generate the private key.
        PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
-                                Base64.getMimeDecoder().decode(targetPrivateKey));
+                            Base64.getMimeDecoder().decode(targetPrivateKey));
        KeyFactory kf = KeyFactory.getInstance("RSA");
        RSAPrivateKey priKey =
                (RSAPrivateKey)kf.generatePrivate(priKeySpec);
@@ -338,20 +351,25 @@ public class TrustTrustedCert {
    volatile Exception clientException = null;

    public static void main(String[] args) throws Exception {
-        // MD5 is used in this test case, don't disable MD5 algorithm.
-        Security.setProperty("jdk.certpath.disabledAlgorithms",
+        /*
+         * Get the customized arguments.
+         */
+        parseArguments(args);
+
+        /*
+         * MD5 is used in this test case, don't disable MD5 algorithm.
+         * if expectFail is set, we're testing exception message
+         */
+        if (!expectFail) {
+            Security.setProperty("jdk.certpath.disabledAlgorithms",
                "MD2, RSA keySize < 1024");
+        }
        Security.setProperty("jdk.tls.disabledAlgorithms",
                "SSLv3, RC4, DH keySize < 768");

        if (debug)
            System.setProperty("javax.net.debug", "all");

-        /*
-         * Get the customized arguments.
-         */
-        parseArguments(args);
-
        /*
         * Start the tests.
         */
@@ -376,7 +394,8 @@ public class TrustTrustedCert {
                startServer(false);
            }
        } catch (Exception e) {
-            // swallow for now.  Show later
+            System.out.println("Unexpected exception: ");
+            e.printStackTrace();
        }

        /*
@@ -440,7 +459,11 @@ public class TrustTrustedCert {
                         */
                        System.err.println("Server died...");
                        serverReady = true;
-                        serverException = e;
+                        if (!expectFail) {
+                            // only record if we weren't expecting.
+                            // client side will record exception
+                            serverException = e;
+                        }
                    }
                }
            };
@@ -449,7 +472,11 @@ public class TrustTrustedCert {
            try {
                doServerSide();
            } catch (Exception e) {
-                serverException = e;
+                // only record if we weren't expecting.
+                // client side will record exception
+                if (!expectFail) {
+                    serverException = e;
+                }
            } finally {
                serverReady = true;
            }