From 88c3bf1f5fd23dc767989159d312d6a1a446a726 Mon Sep 17 00:00:00 2001 From: bgopularam Date: Thu, 26 May 2016 01:30:40 -0700 Subject: [PATCH] 8048622: Enhance tests for PKCS11 keystores with NSS Summary: New tests for validating read write operations on PKCS 12 based keystore Reviewed-by: vinnie --- test/sun/security/pkcs11/PKCS11Test.java | 10 ++ .../security/pkcs11/Secmod/AddPrivateKey.java | 101 +++++++++--------- .../pkcs11/Secmod/AddTrustedCert.java | 42 ++++++-- test/sun/security/pkcs11/Secmod/Crypto.java | 8 +- .../security/pkcs11/Secmod/GetPrivateKey.java | 14 +-- .../security/pkcs11/Secmod/LoadKeystore.java | 94 ++++++++++++++++ 6 files changed, 196 insertions(+), 73 deletions(-) create mode 100644 test/sun/security/pkcs11/Secmod/LoadKeystore.java diff --git a/test/sun/security/pkcs11/PKCS11Test.java b/test/sun/security/pkcs11/PKCS11Test.java index c8a147af5..9155c83b7 100644 --- a/test/sun/security/pkcs11/PKCS11Test.java +++ b/test/sun/security/pkcs11/PKCS11Test.java @@ -34,6 +34,8 @@ import java.security.spec.ECParameterSpec; public abstract class PKCS11Test { + static final String PKCS11 = "PKCS11"; + // directory of the test source static final String BASE = System.getProperty("test.src", "."); @@ -568,6 +570,14 @@ public abstract class PKCS11Test { } } + static byte[] generateData(int length) { + byte data[] = new byte[length]; + for (int i=0; i T[] concat(T[] a, T[] b) { if ((b == null) || (b.length == 0)) { return a; diff --git a/test/sun/security/pkcs11/Secmod/AddPrivateKey.java b/test/sun/security/pkcs11/Secmod/AddPrivateKey.java index c99c49894..56833bd2c 100644 --- a/test/sun/security/pkcs11/Secmod/AddPrivateKey.java +++ b/test/sun/security/pkcs11/Secmod/AddPrivateKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -42,6 +42,13 @@ import java.security.cert.*; // all providers. public class AddPrivateKey extends SecmodTest { + private static final String ALIAS1 = "entry1"; + private static final String ALIAS2 = "entry2"; + private static final String ALIAS3 = "entry3"; + private static final int MAX_LINE = 85; + private static final int DATA_LENGTH = 4096; + private static final byte[] DATA = generateData(DATA_LENGTH); + public static void main(String[] args) throws Exception { if (initSecmod() == false) { return; @@ -56,7 +63,7 @@ public class AddPrivateKey extends SecmodTest { System.out.println(); Security.addProvider(p); - KeyStore ks = KeyStore.getInstance("PKCS11", p); + KeyStore ks = KeyStore.getInstance(PKCS11, p); ks.load(null, password); for (String alias : aliases(ks)) { System.out.println("Deleting: " + alias); @@ -64,25 +71,28 @@ public class AddPrivateKey extends SecmodTest { } KeyStore jks = KeyStore.getInstance("JKS"); - InputStream in = new FileInputStream(new File(BASE, "keystore.jks")); - char[] jkspass = "passphrase".toCharArray(); - jks.load(in, jkspass); - List entries = new ArrayList(); - for (String alias : Collections.list(jks.aliases())) { - if (jks.entryInstanceOf(alias, PrivateKeyEntry.class)) { - PrivateKeyEntry entry = (PrivateKeyEntry)jks.getEntry(alias, new PasswordProtection(jkspass)); - String algorithm = entry.getPrivateKey().getAlgorithm(); - System.out.println("-Entry " + alias + " (" + algorithm + ")"); - if ((supportsEC == false) && algorithm.equals("EC")) { - System.out.println("EC not supported by provider, skipping"); - continue; - } - if ((supportsEC == false) && algorithm.equals("DSA")) { - System.out.println("Provider does not appear to have CKA_NETSCAPE_DB fix, skipping"); - continue; - } - test(p, entry); - } // else ignore + try (InputStream in = new FileInputStream(BASE + SEP + "keystore.jks")) { + char[] jkspass = "passphrase".toCharArray(); + jks.load(in, jkspass); + for (String alias : Collections.list(jks.aliases())) { + if (jks.entryInstanceOf(alias, PrivateKeyEntry.class)) { + PrivateKeyEntry entry = (PrivateKeyEntry)jks.getEntry(alias, + new PasswordProtection(jkspass)); + String algorithm = entry.getPrivateKey().getAlgorithm(); + System.out.printf("-Entry %s (%s)%n", alias, algorithm); + if ((supportsEC == false) && algorithm.equals("EC")) { + System.out.println("EC not supported by provider, " + + "skipping"); + continue; + } + if ((supportsEC == false) && algorithm.equals("DSA")) { + System.out.println("Provider does not appear to have " + + "CKA_NETSCAPE_DB fix, skipping"); + continue; + } + test(p, entry); + } // else ignore + } } System.out.println("OK"); } @@ -91,10 +101,6 @@ public class AddPrivateKey extends SecmodTest { return Collections.list(ks.aliases()); } - private final static String ALIAS1 = "entry1"; - private final static String ALIAS2 = "entry2"; - private final static String ALIAS3 = "entry3"; - private static void test(Provider p, PrivateKeyEntry entry) throws Exception { PrivateKey key = entry.getPrivateKey(); X509Certificate[] chain = (X509Certificate[])entry.getCertificateChain(); @@ -121,11 +127,8 @@ public class AddPrivateKey extends SecmodTest { PrivateKey key2 = (PrivateKey)ks.getKey(ALIAS1, null); System.out.println(toString(key2)); - X509Certificate[] chain2 = (X509Certificate[])ks.getCertificateChain(ALIAS1); - // NSS makes token keys always sensitive, skip this check -// if (key.equals(key2) == false) { -// throw new Exception("key mismatch"); -// } + X509Certificate[] chain2 = + (X509Certificate[]) ks.getCertificateChain(ALIAS1); if (Arrays.equals(chain, chain2) == false) { throw new Exception("chain mismatch"); } @@ -153,7 +156,8 @@ public class AddPrivateKey extends SecmodTest { PrivateKey key4 = (PrivateKey)ks.getKey(ALIAS2, null); System.out.println(toString(key4)); - X509Certificate[] chain4 = (X509Certificate[])ks.getCertificateChain(ALIAS2); + X509Certificate[] chain4 = (X509Certificate[]) + ks.getCertificateChain(ALIAS2); if (Arrays.equals(chain, chain4) == false) { throw new Exception("chain mismatch"); } @@ -171,7 +175,8 @@ public class AddPrivateKey extends SecmodTest { PrivateKey key5 = (PrivateKey)ks.getKey(ALIAS3, null); System.out.println(toString(key5)); - X509Certificate[] chain5 = (X509Certificate[])ks.getCertificateChain(ALIAS3); + X509Certificate[] chain5 = (X509Certificate[]) + ks.getCertificateChain(ALIAS3); if (Arrays.equals(chain, chain5) == false) { throw new Exception("chain mismatch"); } @@ -185,24 +190,22 @@ public class AddPrivateKey extends SecmodTest { System.out.println("OK"); } - private final static byte[] DATA = new byte[4096]; - - static { - Random random = new Random(); - random.nextBytes(DATA); - } - - private static void sign(Provider p, PrivateKey privateKey, PublicKey publicKey) throws Exception { + private static void sign(Provider p, PrivateKey privateKey, + PublicKey publicKey) throws Exception { String keyAlg = privateKey.getAlgorithm(); String alg; - if (keyAlg.equals("RSA")) { - alg = "SHA1withRSA"; - } else if (keyAlg.equals("DSA")) { - alg = "SHA1withDSA"; - } else if (keyAlg.equals("EC")) { - alg = "SHA1withECDSA"; - } else { - throw new Exception("Unknown algorithm " + keyAlg); + switch (keyAlg) { + case "RSA": + alg = "SHA1withRSA"; + break; + case "DSA": + alg = "SHA1withDSA"; + break; + case "EC": + alg = "SHA1withECDSA"; + break; + default: + throw new Exception("Unknown algorithm " + keyAlg); } Signature s = Signature.getInstance(alg, p); s.initSign(privateKey); @@ -216,8 +219,6 @@ public class AddPrivateKey extends SecmodTest { } } - private final static int MAX_LINE = 85; - private static String toString(Object o) { String s = String.valueOf(o).split("\n")[0]; return (s.length() <= MAX_LINE) ? s : s.substring(0, MAX_LINE); diff --git a/test/sun/security/pkcs11/Secmod/AddTrustedCert.java b/test/sun/security/pkcs11/Secmod/AddTrustedCert.java index 1b3ff8194..6b2b54561 100644 --- a/test/sun/security/pkcs11/Secmod/AddTrustedCert.java +++ b/test/sun/security/pkcs11/Secmod/AddTrustedCert.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -44,29 +44,47 @@ public class AddTrustedCert extends SecmodTest { return; } - InputStream in = new FileInputStream(BASE + SEP + "anchor.cer"); - CertificateFactory factory = CertificateFactory.getInstance("X.509"); - X509Certificate cert = (X509Certificate)factory.generateCertificate(in); - in.close(); -// System.out.println(cert); + X509Certificate cert; + try (InputStream in = new FileInputStream(BASE + SEP + "anchor.cer")) { + CertificateFactory factory = + CertificateFactory.getInstance("X.509"); + cert = (X509Certificate)factory.generateCertificate(in); + } String configName = BASE + SEP + "nss.cfg"; Provider p = getSunPKCS11(configName); System.out.println(p); Security.addProvider(p); - KeyStore ks = KeyStore.getInstance("PKCS11", p); + KeyStore ks = KeyStore.getInstance(PKCS11, p); ks.load(null, password); - Collection aliases = new TreeSet(Collections.list(ks.aliases())); + Collection aliases = new TreeSet<>(Collections.list( + ks.aliases())); System.out.println("entries: " + aliases.size()); System.out.println(aliases); int size1 = aliases.size(); String alias = "anchor"; + if (ks.containsAlias(alias)) { + throw new Exception("Alias exists: " + alias); + } + ks.setCertificateEntry(alias, cert); + KeyStore.Entry first = ks.getEntry(alias, null); + System.out.println("first entry = " + first); + if (!ks.entryInstanceOf(alias, TrustedCertificateEntry.class)) { + throw new Exception("Unexpected first entry type: " + first); + } + ks.setCertificateEntry(alias, cert); + KeyStore.Entry second = ks.getEntry(alias, null); + System.out.println("second entry = " + second); + if (!ks.entryInstanceOf(alias, TrustedCertificateEntry.class)) { + throw new Exception("Unexpected second entry type: " + + second); + } - aliases = new TreeSet(Collections.list(ks.aliases())); + aliases = new TreeSet<>(Collections.list(ks.aliases())); System.out.println("entries: " + aliases.size()); System.out.println(aliases); int size2 = aliases.size(); @@ -79,8 +97,12 @@ public class AddTrustedCert extends SecmodTest { throw new Exception("KeyStore returned incorrect certificate"); } - System.out.println("OK"); + ks.deleteEntry(alias); + if (ks.containsAlias(alias)) { + throw new Exception("Alias still exists: " + alias); + } + System.out.println("OK"); } } diff --git a/test/sun/security/pkcs11/Secmod/Crypto.java b/test/sun/security/pkcs11/Secmod/Crypto.java index c44ab8783..735149f1c 100644 --- a/test/sun/security/pkcs11/Secmod/Crypto.java +++ b/test/sun/security/pkcs11/Secmod/Crypto.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,8 +30,6 @@ * @run main/othervm Crypto */ -import java.util.*; - import java.security.*; public class Crypto extends SecmodTest { @@ -50,9 +48,7 @@ public class Crypto extends SecmodTest { System.out.println(kp.getPublic()); System.out.println(kp.getPrivate()); - SecureRandom random = new SecureRandom(); - byte[] data = new byte[2048]; - random.nextBytes(data); + byte[] data = generateData(2048); Signature sig = Signature.getInstance("SHA1withRSA", p); sig.initSign(kp.getPrivate()); diff --git a/test/sun/security/pkcs11/Secmod/GetPrivateKey.java b/test/sun/security/pkcs11/Secmod/GetPrivateKey.java index a41bef9c7..beb07b658 100644 --- a/test/sun/security/pkcs11/Secmod/GetPrivateKey.java +++ b/test/sun/security/pkcs11/Secmod/GetPrivateKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -48,18 +48,17 @@ public class GetPrivateKey extends SecmodTest { System.out.println(p); Security.addProvider(p); - KeyStore ks = KeyStore.getInstance("PKCS11", p); + KeyStore ks = KeyStore.getInstance(PKCS11, p); ks.load(null, password); - Collection aliases = new TreeSet(Collections.list(ks.aliases())); + Collection aliases = new TreeSet<>( + Collections.list(ks.aliases())); System.out.println("entries: " + aliases.size()); System.out.println(aliases); PrivateKey privateKey = (PrivateKey)ks.getKey(keyAlias, password); System.out.println(privateKey); - byte[] data = new byte[1024]; - Random random = new Random(); - random.nextBytes(data); + byte[] data = generateData(1024); System.out.println("Signing..."); Signature signature = Signature.getInstance("MD5withRSA"); @@ -67,7 +66,8 @@ public class GetPrivateKey extends SecmodTest { signature.update(data); byte[] sig = signature.sign(); - X509Certificate[] chain = (X509Certificate[])ks.getCertificateChain(keyAlias); + X509Certificate[] chain = + (X509Certificate[]) ks.getCertificateChain(keyAlias); signature.initVerify(chain[0].getPublicKey()); signature.update(data); boolean ok = signature.verify(sig); diff --git a/test/sun/security/pkcs11/Secmod/LoadKeystore.java b/test/sun/security/pkcs11/Secmod/LoadKeystore.java new file mode 100644 index 000000000..fd1aa694d --- /dev/null +++ b/test/sun/security/pkcs11/Secmod/LoadKeystore.java @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.Provider; +import java.security.Security; +import java.security.UnrecoverableKeyException; +import java.util.Collections; + +/* + * @test + * @bug 8048622 8134232 + * @summary Checks that PKCS#11 keystore can't be loaded with wrong password + * @library ../ + * @run main/othervm LoadKeystore + */ +public class LoadKeystore extends SecmodTest { + + public static void main(String[] args) throws Exception { + if (!initSecmod()) { + return; + } + + String configName = BASE + SEP + "nss.cfg"; + Provider p = getSunPKCS11(configName); + + System.out.println("Add provider " + p); + System.out.println(); + Security.addProvider(p); + + try { + System.out.println("Load keystore with wrong type"); + KeyStore.getInstance("unknown", p); + throw new RuntimeException("Expected exception not thrown"); + } catch(KeyStoreException e) { + System.out.println("Expected exception: " + e); + } + + KeyStore ks = KeyStore.getInstance("PKCS11", p); + if (!"PKCS11".equals(ks.getType())) { + throw new RuntimeException("Unexpected keystore type: " + + ks.getType()); + } + if (!p.equals(ks.getProvider())) { + throw new RuntimeException("Unexpected keystore provider: " + + ks.getProvider()); + } + + try { + System.out.println("Load keystore with wrong password"); + ks.load(null, "wrong".toCharArray()); + throw new RuntimeException("Expected exception not thrown"); + } catch(IOException e) { + System.out.println("Expected exception: " + e); + Throwable cause = e.getCause(); + if (!(cause instanceof UnrecoverableKeyException)) { + e.printStackTrace(System.out); + throw new RuntimeException("Unexpected cause: " + cause); + } + System.out.println("Expected cause: " + cause); + } + + System.out.println("Load keystore with correct password"); + ks.load(null, password); + for (String alias : Collections.list(ks.aliases())) { + System.out.println("Alias: " + alias); + } + + System.out.println("Test passed"); + } + +} -- GitLab