J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 2002-2005 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 10 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 11 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 12 | * version 2 for more details (a copy is included in the LICENSE file that |
| 13 | * accompanied this code). |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License version |
| 16 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 17 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 18 | * |
| 19 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 20 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 21 | * have any questions. |
| 22 | */ |
| 23 | |
| 24 | |
| 25 | import java.io.*; |
| 26 | import java.net.*; |
| 27 | import java.util.*; |
| 28 | import java.util.concurrent.*; |
| 29 | |
| 30 | import java.security.*; |
| 31 | import java.security.cert.*; |
| 32 | import java.security.cert.Certificate; |
| 33 | |
| 34 | import javax.net.ssl.*; |
| 35 | |
| 36 | /** |
| 37 | * Test that all ciphersuites work in all versions and all client |
| 38 | * authentication types. The way this is setup the server is stateless and |
| 39 | * all checking is done on the client side. |
| 40 | * |
| 41 | * The test is multithreaded to speed it up, especially on multiprocessor |
| 42 | * machines. To simplify debugging, run with -DnumThreads=1. |
| 43 | * |
| 44 | * @author Andreas Sterbenz |
| 45 | */ |
| 46 | public class CipherTest { |
| 47 | |
| 48 | // use any available port for the server socket |
| 49 | static int serverPort = 0; |
| 50 | |
| 51 | final int THREADS; |
| 52 | |
| 53 | // assume that if we do not read anything for 20 seconds, something |
| 54 | // has gone wrong |
| 55 | final static int TIMEOUT = 20 * 1000; |
| 56 | |
| 57 | static KeyStore trustStore, keyStore; |
| 58 | static X509ExtendedKeyManager keyManager; |
| 59 | static X509TrustManager trustManager; |
| 60 | static SecureRandom secureRandom; |
| 61 | |
| 62 | private static PeerFactory peerFactory; |
| 63 | |
| 64 | static abstract class Server implements Runnable { |
| 65 | |
| 66 | final CipherTest cipherTest; |
| 67 | |
| 68 | Server(CipherTest cipherTest) throws Exception { |
| 69 | this.cipherTest = cipherTest; |
| 70 | } |
| 71 | |
| 72 | public abstract void run(); |
| 73 | |
| 74 | void handleRequest(InputStream in, OutputStream out) throws IOException { |
| 75 | boolean newline = false; |
| 76 | StringBuilder sb = new StringBuilder(); |
| 77 | while (true) { |
| 78 | int ch = in.read(); |
| 79 | if (ch < 0) { |
| 80 | throw new EOFException(); |
| 81 | } |
| 82 | sb.append((char)ch); |
| 83 | if (ch == '\r') { |
| 84 | // empty |
| 85 | } else if (ch == '\n') { |
| 86 | if (newline) { |
| 87 | // 2nd newline in a row, end of request |
| 88 | break; |
| 89 | } |
| 90 | newline = true; |
| 91 | } else { |
| 92 | newline = false; |
| 93 | } |
| 94 | } |
| 95 | String request = sb.toString(); |
| 96 | if (request.startsWith("GET / HTTP/1.") == false) { |
| 97 | throw new IOException("Invalid request: " + request); |
| 98 | } |
| 99 | out.write("HTTP/1.0 200 OK\r\n\r\n".getBytes()); |
| 100 | } |
| 101 | |
| 102 | } |
| 103 | |
| 104 | public static class TestParameters { |
| 105 | |
| 106 | String cipherSuite; |
| 107 | String protocol; |
| 108 | String clientAuth; |
| 109 | |
| 110 | TestParameters(String cipherSuite, String protocol, |
| 111 | String clientAuth) { |
| 112 | this.cipherSuite = cipherSuite; |
| 113 | this.protocol = protocol; |
| 114 | this.clientAuth = clientAuth; |
| 115 | } |
| 116 | |
| 117 | boolean isEnabled() { |
| 118 | // return cipherSuite.equals("SSL_RSA_WITH_RC4_128_MD5") && |
| 119 | // (clientAuth != null); |
| 120 | // return cipherSuite.indexOf("_RSA_") != -1; |
| 121 | // return cipherSuite.indexOf("DH_anon") != -1; |
| 122 | return true; |
| 123 | } |
| 124 | |
| 125 | public String toString() { |
| 126 | String s = cipherSuite + " in " + protocol + " mode"; |
| 127 | if (clientAuth != null) { |
| 128 | s += " with " + clientAuth + " client authentication"; |
| 129 | } |
| 130 | return s; |
| 131 | } |
| 132 | |
| 133 | } |
| 134 | |
| 135 | private List<TestParameters> tests; |
| 136 | private Iterator<TestParameters> testIterator; |
| 137 | private SSLSocketFactory factory; |
| 138 | private boolean failed; |
| 139 | |
| 140 | private CipherTest(PeerFactory peerFactory) throws IOException { |
| 141 | THREADS = Integer.parseInt(System.getProperty("numThreads", "4")); |
| 142 | factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); |
| 143 | SSLSocket socket = (SSLSocket)factory.createSocket(); |
| 144 | String[] cipherSuites = socket.getSupportedCipherSuites(); |
| 145 | String[] protocols = socket.getSupportedProtocols(); |
| 146 | String[] clientAuths = {null, "RSA", "DSA"}; |
| 147 | tests = new ArrayList<TestParameters>( |
| 148 | cipherSuites.length * protocols.length * clientAuths.length); |
| 149 | for (int i = 0; i < cipherSuites.length; i++) { |
| 150 | String cipherSuite = cipherSuites[i]; |
| 151 | if (peerFactory.isSupported(cipherSuite) == false) { |
| 152 | continue; |
| 153 | } |
| 154 | // skip kerberos cipher suites |
| 155 | if (cipherSuite.startsWith("TLS_KRB5")) { |
| 156 | continue; |
| 157 | } |
| 158 | for (int j = 0; j < protocols.length; j++) { |
| 159 | String protocol = protocols[j]; |
| 160 | if (protocol.equals("SSLv2Hello")) { |
| 161 | continue; |
| 162 | } |
| 163 | for (int k = 0; k < clientAuths.length; k++) { |
| 164 | String clientAuth = clientAuths[k]; |
| 165 | if ((clientAuth != null) && |
| 166 | (cipherSuite.indexOf("DH_anon") != -1)) { |
| 167 | // no client with anonymous ciphersuites |
| 168 | continue; |
| 169 | } |
| 170 | tests.add(new TestParameters(cipherSuite, protocol, |
| 171 | clientAuth)); |
| 172 | } |
| 173 | } |
| 174 | } |
| 175 | testIterator = tests.iterator(); |
| 176 | } |
| 177 | |
| 178 | synchronized void setFailed() { |
| 179 | failed = true; |
| 180 | } |
| 181 | |
| 182 | public void run() throws Exception { |
| 183 | Thread[] threads = new Thread[THREADS]; |
| 184 | for (int i = 0; i < THREADS; i++) { |
| 185 | try { |
| 186 | threads[i] = new Thread(peerFactory.newClient(this), |
| 187 | "Client " + i); |
| 188 | } catch (Exception e) { |
| 189 | e.printStackTrace(); |
| 190 | return; |
| 191 | } |
| 192 | threads[i].start(); |
| 193 | } |
| 194 | try { |
| 195 | for (int i = 0; i < THREADS; i++) { |
| 196 | threads[i].join(); |
| 197 | } |
| 198 | } catch (InterruptedException e) { |
| 199 | setFailed(); |
| 200 | e.printStackTrace(); |
| 201 | } |
| 202 | if (failed) { |
| 203 | throw new Exception("*** Test '" + peerFactory.getName() + |
| 204 | "' failed ***"); |
| 205 | } else { |
| 206 | System.out.println("Test '" + peerFactory.getName() + |
| 207 | "' completed successfully"); |
| 208 | } |
| 209 | } |
| 210 | |
| 211 | synchronized TestParameters getTest() { |
| 212 | if (failed) { |
| 213 | return null; |
| 214 | } |
| 215 | if (testIterator.hasNext()) { |
| 216 | return (TestParameters)testIterator.next(); |
| 217 | } |
| 218 | return null; |
| 219 | } |
| 220 | |
| 221 | SSLSocketFactory getFactory() { |
| 222 | return factory; |
| 223 | } |
| 224 | |
| 225 | static abstract class Client implements Runnable { |
| 226 | |
| 227 | final CipherTest cipherTest; |
| 228 | |
| 229 | Client(CipherTest cipherTest) throws Exception { |
| 230 | this.cipherTest = cipherTest; |
| 231 | } |
| 232 | |
| 233 | public final void run() { |
| 234 | while (true) { |
| 235 | TestParameters params = cipherTest.getTest(); |
| 236 | if (params == null) { |
| 237 | // no more tests |
| 238 | break; |
| 239 | } |
| 240 | if (params.isEnabled() == false) { |
| 241 | System.out.println("Skipping disabled test " + params); |
| 242 | continue; |
| 243 | } |
| 244 | try { |
| 245 | runTest(params); |
| 246 | System.out.println("Passed " + params); |
| 247 | } catch (Exception e) { |
| 248 | cipherTest.setFailed(); |
| 249 | System.out.println("** Failed " + params + "**"); |
| 250 | e.printStackTrace(); |
| 251 | } |
| 252 | } |
| 253 | } |
| 254 | |
| 255 | abstract void runTest(TestParameters params) throws Exception; |
| 256 | |
| 257 | void sendRequest(InputStream in, OutputStream out) throws IOException { |
| 258 | out.write("GET / HTTP/1.0\r\n\r\n".getBytes()); |
| 259 | out.flush(); |
| 260 | StringBuilder sb = new StringBuilder(); |
| 261 | while (true) { |
| 262 | int ch = in.read(); |
| 263 | if (ch < 0) { |
| 264 | break; |
| 265 | } |
| 266 | sb.append((char)ch); |
| 267 | } |
| 268 | String response = sb.toString(); |
| 269 | if (response.startsWith("HTTP/1.0 200 ") == false) { |
| 270 | throw new IOException("Invalid response: " + response); |
| 271 | } |
| 272 | } |
| 273 | |
| 274 | } |
| 275 | |
| 276 | // for some reason, ${test.src} has a different value when the |
| 277 | // test is called from the script and when it is called directly... |
| 278 | static String pathToStores = "../../etc"; |
| 279 | static String pathToStoresSH = "."; |
| 280 | static String keyStoreFile = "keystore"; |
| 281 | static String trustStoreFile = "truststore"; |
| 282 | static char[] passwd = "passphrase".toCharArray(); |
| 283 | |
| 284 | static File PATH; |
| 285 | |
| 286 | private static KeyStore readKeyStore(String name) throws Exception { |
| 287 | File file = new File(PATH, name); |
| 288 | InputStream in = new FileInputStream(file); |
| 289 | KeyStore ks = KeyStore.getInstance("JKS"); |
| 290 | ks.load(in, passwd); |
| 291 | in.close(); |
| 292 | return ks; |
| 293 | } |
| 294 | |
| 295 | public static void main(PeerFactory peerFactory, String[] args) |
| 296 | throws Exception { |
| 297 | long time = System.currentTimeMillis(); |
| 298 | String relPath; |
| 299 | if ((args.length > 0) && args[0].equals("sh")) { |
| 300 | relPath = pathToStoresSH; |
| 301 | } else { |
| 302 | relPath = pathToStores; |
| 303 | } |
| 304 | PATH = new File(System.getProperty("test.src", "."), relPath); |
| 305 | CipherTest.peerFactory = peerFactory; |
| 306 | System.out.print( |
| 307 | "Initializing test '" + peerFactory.getName() + "'..."); |
| 308 | secureRandom = new SecureRandom(); |
| 309 | secureRandom.nextInt(); |
| 310 | trustStore = readKeyStore(trustStoreFile); |
| 311 | keyStore = readKeyStore(keyStoreFile); |
| 312 | KeyManagerFactory keyFactory = |
| 313 | KeyManagerFactory.getInstance( |
| 314 | KeyManagerFactory.getDefaultAlgorithm()); |
| 315 | keyFactory.init(keyStore, passwd); |
| 316 | keyManager = (X509ExtendedKeyManager)keyFactory.getKeyManagers()[0]; |
| 317 | trustManager = new AlwaysTrustManager(); |
| 318 | |
| 319 | CipherTest cipherTest = new CipherTest(peerFactory); |
| 320 | Thread serverThread = new Thread(peerFactory.newServer(cipherTest), |
| 321 | "Server"); |
| 322 | serverThread.setDaemon(true); |
| 323 | serverThread.start(); |
| 324 | System.out.println("Done"); |
| 325 | cipherTest.run(); |
| 326 | time = System.currentTimeMillis() - time; |
| 327 | System.out.println("Done. (" + time + " ms)"); |
| 328 | } |
| 329 | |
| 330 | static abstract class PeerFactory { |
| 331 | |
| 332 | abstract String getName(); |
| 333 | |
| 334 | abstract Client newClient(CipherTest cipherTest) throws Exception; |
| 335 | |
| 336 | abstract Server newServer(CipherTest cipherTest) throws Exception; |
| 337 | |
| 338 | boolean isSupported(String cipherSuite) { |
| 339 | return true; |
| 340 | } |
| 341 | } |
| 342 | |
| 343 | } |
| 344 | |
| 345 | // we currently don't do any chain verification. we assume that works ok |
| 346 | // and we can speed up the test. we could also just add a plain certificate |
| 347 | // chain comparision with our trusted certificates. |
| 348 | class AlwaysTrustManager implements X509TrustManager { |
| 349 | |
| 350 | public AlwaysTrustManager() { |
| 351 | |
| 352 | } |
| 353 | |
| 354 | public void checkClientTrusted(X509Certificate[] chain, String authType) |
| 355 | throws CertificateException { |
| 356 | // empty |
| 357 | } |
| 358 | |
| 359 | public void checkServerTrusted(X509Certificate[] chain, String authType) |
| 360 | throws CertificateException { |
| 361 | // empty |
| 362 | } |
| 363 | |
| 364 | public X509Certificate[] getAcceptedIssuers() { |
| 365 | return new X509Certificate[0]; |
| 366 | } |
| 367 | } |
| 368 | |
| 369 | class MyX509KeyManager extends X509ExtendedKeyManager { |
| 370 | |
| 371 | private final X509ExtendedKeyManager keyManager; |
| 372 | private String authType; |
| 373 | |
| 374 | MyX509KeyManager(X509ExtendedKeyManager keyManager) { |
| 375 | this.keyManager = keyManager; |
| 376 | } |
| 377 | |
| 378 | void setAuthType(String authType) { |
| 379 | this.authType = authType; |
| 380 | } |
| 381 | |
| 382 | public String[] getClientAliases(String keyType, Principal[] issuers) { |
| 383 | if (authType == null) { |
| 384 | return null; |
| 385 | } |
| 386 | return keyManager.getClientAliases(authType, issuers); |
| 387 | } |
| 388 | |
| 389 | public String chooseClientAlias(String[] keyType, Principal[] issuers, |
| 390 | Socket socket) { |
| 391 | if (authType == null) { |
| 392 | return null; |
| 393 | } |
| 394 | return keyManager.chooseClientAlias(new String[] {authType}, |
| 395 | issuers, socket); |
| 396 | } |
| 397 | |
| 398 | public String chooseEngineClientAlias(String[] keyType, |
| 399 | Principal[] issuers, SSLEngine engine) { |
| 400 | if (authType == null) { |
| 401 | return null; |
| 402 | } |
| 403 | return keyManager.chooseEngineClientAlias(new String[] {authType}, |
| 404 | issuers, engine); |
| 405 | } |
| 406 | |
| 407 | public String[] getServerAliases(String keyType, Principal[] issuers) { |
| 408 | throw new UnsupportedOperationException("Servers not supported"); |
| 409 | } |
| 410 | |
| 411 | public String chooseServerAlias(String keyType, Principal[] issuers, |
| 412 | Socket socket) { |
| 413 | throw new UnsupportedOperationException("Servers not supported"); |
| 414 | } |
| 415 | |
| 416 | public String chooseEngineServerAlias(String keyType, Principal[] issuers, |
| 417 | SSLEngine engine) { |
| 418 | throw new UnsupportedOperationException("Servers not supported"); |
| 419 | } |
| 420 | |
| 421 | public X509Certificate[] getCertificateChain(String alias) { |
| 422 | return keyManager.getCertificateChain(alias); |
| 423 | } |
| 424 | |
| 425 | public PrivateKey getPrivateKey(String alias) { |
| 426 | return keyManager.getPrivateKey(alias); |
| 427 | } |
| 428 | |
| 429 | } |
| 430 | |
| 431 | class DaemonThreadFactory implements ThreadFactory { |
| 432 | |
| 433 | final static ThreadFactory INSTANCE = new DaemonThreadFactory(); |
| 434 | |
| 435 | private final static ThreadFactory DEFAULT = Executors.defaultThreadFactory(); |
| 436 | |
| 437 | public Thread newThread(Runnable r) { |
| 438 | Thread t = DEFAULT.newThread(r); |
| 439 | t.setDaemon(true); |
| 440 | return t; |
| 441 | } |
| 442 | |
| 443 | } |