8157035: Use stronger algorithms and keys for JSSE testing

Reviewed-by: coffeys
Contributed-by: prasadarao.koppula@oracle.com

test/ProblemList.txt

@@ -298,6 +298,8 @@ sun/security/pkcs11/rsa/TestKeyPairGenerator.java               solaris-all
 # 8151834
 sun/security/mscapi/SmallPrimeExponentP.java                    windows-i586
 
+#8176354 
+sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java     generic-all
 ############################################################################
 
 # jdk_sound

test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java

@@ -38,11 +38,10 @@ import javax.net.ssl.SSLSocketFactory;
 
 /**
  * @test
- * @bug 8076221
+ * @bug 8076221 8157035
  * @summary Check if weak cipher suites are disabled
  * @run main/othervm DisabledAlgorithms default
- * @run main/othervm -Djdk.tls.namedGroups="secp256r1,secp192r1"
- *     DisabledAlgorithms empty
+ * @run main/othervm DisabledAlgorithms empty
  */
 public class DisabledAlgorithms {
 
@@ -98,11 +97,6 @@ public class DisabledAlgorithms {
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // some of the certs in our test are weak; disable
-                Security.setProperty("jdk.certpath.disabledAlgorithms", "");
-                System.out.println("jdk.certpath.disabledAlgorithms = "
-                        + Security.getProperty("jdk.cerpath.disabledAlgorithms"));
-
                 // check if RC4 cipher suites can be used
                 // if jdk.tls.disabledAlgorithms is empty
                 checkSuccess(rc4_ciphersuites);

test/sun/security/ssl/etc/README

+Keystores used for the JSSE regression test suite.
+
+keystore
+truststore
+==========
+
+These are the primary two keystores and contain entries for testing most
+of the JSSE regression test files.  There are three entries, one RSA-based,
+one DSA-based and one EC-based.  If they expire, simply recreate them
+using keytool and most of the test cases should work.
+
+The password on both files is:
+
+    passphrase
+
+There are no individual key entry passwords at this time.
+
+
+keystore entries
+================
+
+Alias name: dummy
+-----------------
+Creation date: May 16, 2016
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 57399b87
+Valid from: Mon May 16 10:06:38 UTC 2016 until: Sat May 16 10:06:38 UTC 2026
+Signature algorithm name: SHA256withRSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg RSA -keysize 2048 \
+  -sigalg SHA256withRSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+
+Alias name: dummyecdsa
+----------------------
+Creation date: May 16, 2016
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 57399c1d
+Valid from: Mon May 16 10:09:01 UTC 2016 until: Sat May 16 10:09:01 UTC 2026
+Signature algorithm name: SHA256withECDSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg EC -keysize 256 \
+  -sigalg SHA256withECDSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+Alias name: dummydsa
+--------------------
+Creation date: Mar 11, 2007
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 45f3a314
+Valid from: Sun Mar 11 06:35:00 UTC 2007 until: Wed Mar 08 06:35:00 UTC 2017
+Certificate fingerprints:
+Signature algorithm name: SHA1withDSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg DSA -keysize 1024 \
+  -sigalg SHA1withDSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+
+truststore entries
+==================
+This key store contains only trusted certificate entries.  The same
+certificates are used in both keystore and truststore.
+
+
+unknown_keystore
+================
+A keystore you can use when you don't want things to be verified.
+Use this with keystore/truststore, and you'll never get a match.

test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java

@@ -26,8 +26,7 @@
  * @bug 4496785
  * @summary Verify that all ciphersuites work in all configurations
  * @author Andreas Sterbenz
- * @run main/othervm/timeout=300 -Djdk.tls.namedGroups="secp256r1,secp192r1"
- *      ClientJSSEServerJSSE
+ * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 
 import java.security.Security;