diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux index 22103ad97a5893eb2198d164b1e7d9c0d1c57994..dd63fd4d1e2ff7ea44ac2326434a0d389c4c8e02 100644 --- a/src/share/lib/security/java.security-linux +++ b/src/share/lib/security/java.security-linux @@ -371,7 +371,7 @@ krb5.kdc.bad.policy = tryLast # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2 +jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 3db909b224db287d61ce9dd020a9ea1db15a6273..00759d7b2154b4858b4d3bbcc844aba3e016ddce 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2 +jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff --git a/src/share/lib/security/java.security-solaris b/src/share/lib/security/java.security-solaris index cebe4e77cc11f81afccbc4735f8898f89f1cd923..241873676b7898a0d850366c643ac49b3e40ec9c 100644 --- a/src/share/lib/security/java.security-solaris +++ b/src/share/lib/security/java.security-solaris @@ -373,7 +373,7 @@ krb5.kdc.bad.policy = tryLast # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2 +jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff --git a/src/share/lib/security/java.security-windows b/src/share/lib/security/java.security-windows index 737a6002f6acc7edc5e788f038e1374631179b6a..62b8b51fee64baaec9eb6172a0e9dda37d713f22 100644 --- a/src/share/lib/security/java.security-windows +++ b/src/share/lib/security/java.security-windows @@ -372,7 +372,7 @@ krb5.kdc.bad.policy = tryLast # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2 +jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff --git a/test/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java b/test/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java index 6ab7cf25f1e5e0096985a50f64c6d3ec4cfa3d95..c590f685177090b467ac818acbd956ea0ddf40d1 100644 --- a/test/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java +++ b/test/java/security/cert/CertPathBuilder/targetConstraints/BuildEEBasicConstraints.java @@ -21,18 +21,22 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @bug 6714842 * @library ../../../testlibrary * @build CertUtils - * @run main BuildEEBasicConstraints + * @run main/othervm BuildEEBasicConstraints * @summary make sure a PKIX CertPathBuilder builds a path to an * end entity certificate when the setBasicConstraints method of the * X509CertSelector of the targetConstraints PKIXBuilderParameters * parameter is set to -2. */ +import java.security.Security; import java.security.cert.Certificate; import java.security.cert.CertPath; import java.security.cert.CertStore; @@ -49,6 +53,9 @@ import java.util.List; public final class BuildEEBasicConstraints { public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); X509Certificate rootCert = CertUtils.getCertFromFile("anchor.cer"); TrustAnchor anchor = new TrustAnchor diff --git a/test/java/security/cert/pkix/policyChanges/TestPolicy.java b/test/java/security/cert/pkix/policyChanges/TestPolicy.java index ba56dab9e8cb088adbeb73c1872164a8a1b25c21..567f551ccf54c983cd3605e7af835b22bcef78b8 100644 --- a/test/java/security/cert/pkix/policyChanges/TestPolicy.java +++ b/test/java/security/cert/pkix/policyChanges/TestPolicy.java @@ -21,16 +21,22 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @bug 4684793 - * @summary verify that the RFC3280 policy processing changes are implemented correctly + * @summary verify that the RFC3280 policy processing changes are + * implemented correctly + * @run main/othervm TestPolicy * @author Andreas Sterbenz */ import java.io.*; import java.util.*; +import java.security.Security; import java.security.cert.*; public class TestPolicy { @@ -72,6 +78,10 @@ public class TestPolicy { }; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + factory = CertificateFactory.getInstance("X.509"); X509Certificate anchor = loadCertificate("anchor.cer"); diff --git a/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilder.java b/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilder.java index ebcfc70ec0b2b85ac8a80dba239e5e60a91dbcb0..2352bc07f973f5ad6476d4d237cd0fd135444265 100644 --- a/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilder.java +++ b/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilder.java @@ -21,6 +21,9 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @@ -392,6 +395,9 @@ public class CPBuilder { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); diff --git a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java index 725ed6b5d99795e2a6bbd37bc20296c7d5bdb1d9..283342baddb41893abb88ee39e01ac88b8e4900b 100644 --- a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java +++ b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java @@ -21,6 +21,9 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @@ -28,7 +31,7 @@ * @summary Disable MD2 support. * New CertPathValidatorException.BasicReason enum constant for * constrained algorithm. - * + * @run main/othervm CPValidatorEndEntity * @author Xuelei Fan */ @@ -313,6 +316,10 @@ public class CPValidatorEndEntity { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + try { validate(endentiry_SHA1withRSA_1024_1024, intermediate_SHA1withRSA_1024_1024); diff --git a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorIntermediate.java b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorIntermediate.java index 6b4f3cdc1260af77db09283abd070b32b3a24519..1473577ff5ef6c43e5515e6f0a19093cede8ffee 100644 --- a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorIntermediate.java +++ b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorIntermediate.java @@ -21,6 +21,9 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @@ -28,7 +31,7 @@ * @summary Disable MD2 support * new CertPathValidatorException.BasicReason enum constant for * constrained algorithm - * + * @run main/othervm CPValidatorIntermediate * @author Xuelei Fan */ @@ -212,6 +215,10 @@ public class CPValidatorIntermediate { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + try { validate(intermediate_SHA1withRSA_1024_1024); validate(intermediate_SHA1withRSA_1024_512); diff --git a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorTrustAnchor.java b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorTrustAnchor.java index e1a700020736aeb6887662dfd5741aba9a6c8516..0a0145df968737a16a59ade6247061ee4932bfb3 100644 --- a/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorTrustAnchor.java +++ b/test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorTrustAnchor.java @@ -21,6 +21,9 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /** * @test * @@ -28,7 +31,7 @@ * @summary Disable MD2 support * new CertPathValidatorException.BasicReason enum constant for * constrained algorithm - * + * @run main/othervm CPValidatorTrustAnchor * @author Xuelei Fan */ @@ -133,6 +136,10 @@ public class CPValidatorTrustAnchor { } public static void main(String args[]) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + try { validate(trustAnchor_SHA1withRSA_1024); validate(trustAnchor_SHA1withRSA_512); diff --git a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/RSAExport.java b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/RSAExport.java index d63fc8ea0d1f77554574a02bf4115e4311e58171..b8f22579b4008a2663b5484df18bf404dacffe73 100644 --- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/RSAExport.java +++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ClientHandshaker/RSAExport.java @@ -21,14 +21,14 @@ * questions. */ +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. + /* * @test * @bug 6690018 * @summary RSAClientKeyExchange NullPointerException * @run main/othervm RSAExport - * - * SunJSSE does not support dynamic system properties, no way to re-use - * system properties in samevm/agentvm mode. */ /* @@ -199,6 +199,7 @@ import java.io.*; import java.net.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -415,6 +416,10 @@ public class RSAExport { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + if (debug) System.setProperty("javax.net.debug", "all"); diff --git a/test/sun/security/ssl/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java b/test/sun/security/ssl/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java new file mode 100644 index 0000000000000000000000000000000000000000..4a7130964b82837bff58a6565a09eeccac999e6e --- /dev/null +++ b/test/sun/security/ssl/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java @@ -0,0 +1,433 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. + +/* + * @test + * @bug 7109274 + * @summary Consider disabling support for X.509 certificates with RSA keys + * less than 1024 bits + * + * @run main/othervm DisabledShortRSAKeys PKIX TLSv1.2 + * @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.2 + * @run main/othervm DisabledShortRSAKeys PKIX TLSv1.1 + * @run main/othervm DisabledShortRSAKeys SunX509 TLSv1.1 + * @run main/othervm DisabledShortRSAKeys PKIX TLSv1 + * @run main/othervm DisabledShortRSAKeys SunX509 TLSv1 + * @run main/othervm DisabledShortRSAKeys PKIX SSLv3 + * @run main/othervm DisabledShortRSAKeys SunX509 SSLv3 + */ + +import java.net.*; +import java.util.*; +import java.io.*; +import javax.net.ssl.*; +import java.security.Security; +import java.security.KeyStore; +import java.security.KeyFactory; +import java.security.cert.Certificate; +import java.security.cert.CertificateFactory; +import java.security.spec.*; +import java.security.interfaces.*; +import sun.misc.BASE64Decoder; + + +public class DisabledShortRSAKeys { + + /* + * ============================================================= + * Set the various variables needed for the tests, then + * specify what tests to run on each side. + */ + + /* + * Should we run the client or server in a separate thread? + * Both sides can throw exceptions, but do you have a preference + * as to which side should be the main thread. + */ + static boolean separateServerThread = true; + + /* + * Where do we find the keystores? + */ + // Certificates and key used in the test. + static String trustedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTEwODE5MDE1MjE5WhcNMzIwNzI5MDE1MjE5WjA7MQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" + + "KoZIhvcNAQEBBQADgY0AMIGJAoGBAM8orG08DtF98TMSscjGsidd1ZoN4jiDpi8U\n" + + "ICz+9dMm1qM1d7O2T+KH3/mxyox7Rc2ZVSCaUD0a3CkhPMnlAx8V4u0H+E9sqso6\n" + + "iDW3JpOyzMExvZiRgRG/3nvp55RMIUV4vEHOZ1QbhuqG4ebN0Vz2DkRft7+flthf\n" + + "vDld6f5JAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLl81dnfp0wDrv0OJ1sxlWzH83Xh\n" + + "MGMGA1UdIwRcMFqAFLl81dnfp0wDrv0OJ1sxlWzH83XhoT+kPTA7MQswCQYDVQQG\n" + + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" + + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEE\n" + + "BQADgYEALlgaH1gWtoBZ84EW8Hu6YtGLQ/L9zIFmHonUPZwn3Pr//icR9Sqhc3/l\n" + + "pVTxOINuFHLRz4BBtEylzRIOPzK3tg8XwuLb1zd0db90x3KBCiAL6E6cklGEPwLe\n" + + "XYMHDn9eDsaq861Tzn6ZwzMgw04zotPMoZN0mVd/3Qca8UJFucE=\n" + + "-----END CERTIFICATE-----"; + + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNDCCAZ2gAwIBAgIBDDANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTExMTA3MTM1NTUyWhcNMzEwNzI1MTM1NTUyWjBPMQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n" + + "BAMTCWxvY2FsaG9zdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3Pb49OSPfOD2G\n" + + "HSXFCFx1GJEZfqG9ZUf7xuIi/ra5dLjPGAaoY5QF2QOa8VnOriQCXDfyXHxsuRnE\n" + + "OomxL7EVAgMBAAGjeDB2MAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUXNCJK3/dtCIc\n" + + "xb+zlA/JINlvs/MwHwYDVR0jBBgwFoAUuXzV2d+nTAOu/Q4nWzGVbMfzdeEwJwYD\n" + + "VR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzANBgkqhkiG9w0B\n" + + "AQQFAAOBgQB2qIDUxA2caMPpGtUACZAPRUtrGssCINIfItETXJZCx/cRuZ5sP4D9\n" + + "N1acoNDn0hCULe3lhXAeTC9NZ97680yJzregQMV5wATjo1FGsKY30Ma+sc/nfzQW\n" + + "+h/7RhYtoG0OTsiaDCvyhI6swkNJzSzrAccPY4+ZgU8HiDLzZTmM3Q==\n" + + "-----END CERTIFICATE-----"; + + // Private key in the format of PKCS#8, key size is 512 bits. + static String targetPrivateKey = + "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAtz2+PTkj3zg9hh0l\n" + + "xQhcdRiRGX6hvWVH+8biIv62uXS4zxgGqGOUBdkDmvFZzq4kAlw38lx8bLkZxDqJ\n" + + "sS+xFQIDAQABAkByx/5Oo2hQ/w2q4L8z+NTRlJ3vdl8iIDtC/4XPnfYfnGptnpG6\n" + + "ZThQRvbMZiai0xHQPQMszvAHjZVme1eDl3EBAiEA3aKJHynPVCEJhpfCLWuMwX5J\n" + + "1LntwJO7NTOyU5m8rPECIQDTpzn5X44r2rzWBDna/Sx7HW9IWCxNgUD2Eyi2nA7W\n" + + "ZQIgJerEorw4aCAuzQPxiGu57PB6GRamAihEAtoRTBQlH0ECIQDN08FgTtnesgCU\n" + + "DFYLLcw1CiHvc7fZw4neBDHCrC8NtQIgA8TOUkGnpCZlQ0KaI8KfKWI+vxFcgFnH\n" + + "3fnqsTgaUs4="; + + static char passphrase[] = "passphrase".toCharArray(); + + /* + * Is the server ready to serve? + */ + volatile static boolean serverReady = false; + + /* + * Turn on SSL debugging? + */ + static boolean debug = false; + + /* + * Define the server side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doServerSide() throws Exception { + SSLContext context = generateSSLContext(null, targetCertStr, + targetPrivateKey); + SSLServerSocketFactory sslssf = context.getServerSocketFactory(); + SSLServerSocket sslServerSocket = + (SSLServerSocket)sslssf.createServerSocket(serverPort); + serverPort = sslServerSocket.getLocalPort(); + + /* + * Signal Client, we're ready for his connect. + */ + serverReady = true; + + try (SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept()) { + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslIS.read(); + sslOS.write('A'); + sslOS.flush(); + + throw new Exception( + "RSA keys shorter than 1024 bits should be disabled"); + } catch (SSLHandshakeException sslhe) { + // the expected exception, ignore + } + } + + /* + * Define the client side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doClientSide() throws Exception { + + /* + * Wait for server to get started. + */ + while (!serverReady) { + Thread.sleep(50); + } + + SSLContext context = generateSSLContext(trustedCertStr, null, null); + SSLSocketFactory sslsf = context.getSocketFactory(); + + try (SSLSocket sslSocket = + (SSLSocket)sslsf.createSocket("localhost", serverPort)) { + + // only enable the target protocol + sslSocket.setEnabledProtocols(new String[] {enabledProtocol}); + + // enable a block cipher + sslSocket.setEnabledCipherSuites( + new String[] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}); + + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslOS.write('B'); + sslOS.flush(); + sslIS.read(); + + throw new Exception( + "RSA keys shorter than 1024 bits should be disabled"); + } catch (SSLHandshakeException sslhe) { + // the expected exception, ignore + } + } + + /* + * ============================================================= + * The remainder is just support stuff + */ + private static String tmAlgorithm; // trust manager + private static String enabledProtocol; // the target protocol + + private static void parseArguments(String[] args) { + tmAlgorithm = args[0]; + enabledProtocol = args[1]; + } + + private static SSLContext generateSSLContext(String trustedCertStr, + String keyCertStr, String keySpecStr) throws Exception { + + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + // create a key store + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + + // import the trused cert + Certificate trusedCert = null; + ByteArrayInputStream is = null; + if (trustedCertStr != null) { + is = new ByteArrayInputStream(trustedCertStr.getBytes()); + trusedCert = cf.generateCertificate(is); + is.close(); + + ks.setCertificateEntry("RSA Export Signer", trusedCert); + } + + if (keyCertStr != null) { + // generate the private key. + PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( + new BASE64Decoder().decodeBuffer(keySpecStr)); + KeyFactory kf = KeyFactory.getInstance("RSA"); + RSAPrivateKey priKey = + (RSAPrivateKey)kf.generatePrivate(priKeySpec); + + // generate certificate chain + is = new ByteArrayInputStream(keyCertStr.getBytes()); + Certificate keyCert = cf.generateCertificate(is); + is.close(); + + Certificate[] chain = null; + if (trusedCert != null) { + chain = new Certificate[2]; + chain[0] = keyCert; + chain[1] = trusedCert; + } else { + chain = new Certificate[1]; + chain[0] = keyCert; + } + + // import the key entry. + ks.setKeyEntry("Whatever", priKey, passphrase, chain); + } + + // create SSL context + TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm); + tmf.init(ks); + + SSLContext ctx = SSLContext.getInstance("TLS"); + if (keyCertStr != null && !keyCertStr.isEmpty()) { + KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509"); + kmf.init(ks, passphrase); + + ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + ks = null; + } else { + ctx.init(null, tmf.getTrustManagers(), null); + } + + return ctx; + } + + + // use any free port by default + volatile int serverPort = 0; + + volatile Exception serverException = null; + volatile Exception clientException = null; + + public static void main(String[] args) throws Exception { + if (debug) + System.setProperty("javax.net.debug", "all"); + + /* + * Get the customized arguments. + */ + parseArguments(args); + + /* + * Start the tests. + */ + new DisabledShortRSAKeys(); + } + + Thread clientThread = null; + Thread serverThread = null; + + /* + * Primary constructor, used to drive remainder of the test. + * + * Fork off the other side, then do your work. + */ + DisabledShortRSAKeys() throws Exception { + try { + if (separateServerThread) { + startServer(true); + startClient(false); + } else { + startClient(true); + startServer(false); + } + } catch (Exception e) { + // swallow for now. Show later + } + + /* + * Wait for other side to close down. + */ + if (separateServerThread) { + serverThread.join(); + } else { + clientThread.join(); + } + + /* + * When we get here, the test is pretty much over. + * Which side threw the error? + */ + Exception local; + Exception remote; + String whichRemote; + + if (separateServerThread) { + remote = serverException; + local = clientException; + whichRemote = "server"; + } else { + remote = clientException; + local = serverException; + whichRemote = "client"; + } + + /* + * If both failed, return the curthread's exception, but also + * print the remote side Exception + */ + if ((local != null) && (remote != null)) { + System.out.println(whichRemote + " also threw:"); + remote.printStackTrace(); + System.out.println(); + throw local; + } + + if (remote != null) { + throw remote; + } + + if (local != null) { + throw local; + } + } + + void startServer(boolean newThread) throws Exception { + if (newThread) { + serverThread = new Thread() { + public void run() { + try { + doServerSide(); + } catch (Exception e) { + /* + * Our server thread just died. + * + * Release the client, if not active already... + */ + System.err.println("Server died..."); + serverReady = true; + serverException = e; + } + } + }; + serverThread.start(); + } else { + try { + doServerSide(); + } catch (Exception e) { + serverException = e; + } finally { + serverReady = true; + } + } + } + + void startClient(boolean newThread) throws Exception { + if (newThread) { + clientThread = new Thread() { + public void run() { + try { + doClientSide(); + } catch (Exception e) { + /* + * Our client thread just died. + */ + System.err.println("Client died..."); + clientException = e; + } + } + }; + clientThread.start(); + } else { + try { + doClientSide(); + } catch (Exception e) { + clientException = e; + } + } + } +} diff --git a/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java b/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java index a3fb2b0cb15fcfbf0fd7e1a32d537fe38a4c5ce2..c3c170205a4af107abe1b60a4fbeca71c1d9c4c8 100644 --- a/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java +++ b/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java @@ -23,6 +23,9 @@ * questions. */ +// This test case relies on updated static security property, no way to re-use +// security property in samevm/agentvm mode. + /* * @test * @bug 7106773 @@ -38,6 +41,7 @@ import java.net.*; import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -275,6 +279,10 @@ public class ShortRSAKey512 { volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // reset the security property to make sure that the algorithms + // and keys used in this test are not disabled. + Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); + if (debug) System.setProperty("javax.net.debug", "all"); diff --git a/test/sun/security/tools/jarsigner/concise_jarsigner.sh b/test/sun/security/tools/jarsigner/concise_jarsigner.sh index c3eec5819e16df2b9aa7948a0b23ea99f08d25f7..5fbb7d0b9c4bc81ae17ef6d9e3a0a6284d51a9e8 100644 --- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh +++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh @@ -44,10 +44,10 @@ case "$OS" in ;; esac -# Choose 512-bit RSA to make sure it runs fine and fast on all platforms. In fact, -# every keyalg/keysize combination is OK for this test. +# Choose 1024-bit RSA to make sure it runs fine and fast on all platforms. In +# fact, every keyalg/keysize combination is OK for this test. -KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 512" +KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks -keyalg rsa -keysize 1024" JAR=$TESTJAVA${FS}bin${FS}jar JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner JAVAC=$TESTJAVA${FS}bin${FS}javac