1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
|
/*
* Copyright (c) 2023, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// Security properties, once set, cannot revert to unset. To avoid
// conflicts with tests running in the same VM isolate this test by
// running it in otherVM mode.
//
/**
* @test
* @bug 8179502
* @summary Enhance OCSP, CRL and Certificate Fetch Timeouts
* @modules java.base/sun.security.x509
* java.base/sun.security.provider.certpath
* java.base/sun.security.util
* @library /test/lib
* @run main/othervm -Djava.security.debug=certpath OCSPTimeout 1000 true
* @run main/othervm -Djava.security.debug=certpath
* -Dcom.sun.security.ocsp.readtimeout=5 OCSPTimeout 1000 true
* @run main/othervm -Djava.security.debug=certpath
* -Dcom.sun.security.ocsp.readtimeout=1 OCSPTimeout 5000 false
* @run main/othervm -Djava.security.debug=certpath
* -Dcom.sun.security.ocsp.readtimeout=1s OCSPTimeout 5000 false
* @run main/othervm -Djava.security.debug=certpath
* -Dcom.sun.security.ocsp.readtimeout=1500ms OCSPTimeout 5000 false
* @run main/othervm -Djava.security.debug=certpath
* -Dcom.sun.security.ocsp.readtimeout=4500ms OCSPTimeout 1000 true
*/
import java.io.*;
import java.math.BigInteger;
import java.net.*;
import java.security.*;
import java.security.cert.Certificate;
import java.security.spec.ECGenParameterSpec;
import java.util.*;
import java.security.cert.*;
import java.util.concurrent.TimeUnit;
import jdk.test.lib.security.SimpleOCSPServer;
import jdk.test.lib.security.CertificateBuilder;
import static java.security.cert.PKIXRevocationChecker.Option.*;
public class OCSPTimeout {
static String passwd = "passphrase";
static String ROOT_ALIAS = "root";
static String EE_ALIAS = "endentity";
// Enable debugging for additional output
static final boolean debug = true;
// PKI components we will need for this test
static X509Certificate rootCert; // The root CA certificate
static X509Certificate eeCert; // The end entity certificate
static KeyStore rootKeystore; // Root CA Keystore
static KeyStore eeKeystore; // End Entity Keystore
static KeyStore trustStore; // SSL Client trust store
static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder
static int rootOcspPort; // Port number for root OCSP
public static void main(String[] args) throws Exception {
int ocspTimeout = 15000;
boolean expected;
createPKI();
try {
if (args[0] != null) {
ocspTimeout = Integer.parseInt(args[0]);
}
rootOcsp.setDelay(ocspTimeout);
expected = (args[1] != null && Boolean.parseBoolean(args[1]));
log("Test case expects to " + (expected ? "pass" : "fail"));
// validate chain
CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
PKIXRevocationChecker prc =
(PKIXRevocationChecker) cpv.getRevocationChecker();
prc.setOptions(EnumSet.of(NO_FALLBACK, SOFT_FAIL));
PKIXParameters params =
new PKIXParameters(Set.of(new TrustAnchor(rootCert, null)));
params.addCertPathChecker(prc);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
CertPath cp = cf.generateCertPath(List.of(eeCert));
cpv.validate(cp, params);
// unwrap soft fail exceptions and check for SocketTimeoutException
List<CertPathValidatorException> softExc = prc.getSoftFailExceptions();
if (expected) {
if (!softExc.isEmpty()) {
log("Expected to pass, found " + softExc.size() +
" soft fail exceptions");
for (CertPathValidatorException cpve : softExc) {
log("Exception: " + cpve);
}
throw new RuntimeException("Expected to pass, found " +
softExc.size() + " soft fail exceptions");
}
} else {
// If we expect to fail the validation then there should be a
// SocketTimeoutException
boolean found = false;
for (CertPathValidatorException softFail : softExc) {
log("CPVE: " + softFail);
Throwable cause = softFail.getCause();
log("Cause: " + cause);
while (cause != null) {
if (cause instanceof SocketTimeoutException) {
found = true;
break;
}
cause = cause.getCause();
}
if (found) {
break;
}
}
if (!found) {
throw new RuntimeException("SocketTimeoutException not thrown");
}
}
} finally {
rootOcsp.stop();
rootOcsp.shutdownNow();
}
}
/**
* Creates the PKI components necessary for this test, including
* Root CA, Intermediate CA and SSL server certificates, the keystores
* for each entity, a client trust store, and starts the OCSP responders.
*/
private static void createPKI() throws Exception {
CertificateBuilder cbld = new CertificateBuilder();
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
keyGen.initialize(new ECGenParameterSpec("secp256r1"));
KeyStore.Builder keyStoreBuilder =
KeyStore.Builder.newInstance("PKCS12", null,
new KeyStore.PasswordProtection(passwd.toCharArray()));
// Generate Root and EE keys
KeyPair rootCaKP = keyGen.genKeyPair();
log("Generated Root CA KeyPair");
KeyPair eeKP = keyGen.genKeyPair();
log("Generated End Entity KeyPair");
// Set up the Root CA Cert
cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
cbld.setPublicKey(rootCaKP.getPublic());
cbld.setSerialNumber(new BigInteger("1"));
// Make a 3 year validity starting from 60 days ago
long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
long end = start + TimeUnit.DAYS.toMillis(1085);
cbld.setValidity(new Date(start), new Date(end));
addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
addCommonCAExts(cbld);
// Make our Root CA Cert!
rootCert = cbld.build(null, rootCaKP.getPrivate(),
"SHA256withECDSA");
log("Root CA Created:\n%s", certInfo(rootCert));
// Now build a keystore and add the keys and cert
rootKeystore = keyStoreBuilder.getKeyStore();
Certificate[] rootChain = {rootCert};
rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
passwd.toCharArray(), rootChain);
// Now fire up the OCSP responder
rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
rootOcsp.enableLog(debug);
rootOcsp.setNextUpdateInterval(3600);
rootOcsp.start();
// Wait 60 seconds for server ready
boolean readyStatus = rootOcsp.awaitServerReady(60, TimeUnit.SECONDS);
if (!readyStatus) {
throw new RuntimeException("Server not ready");
}
rootOcspPort = rootOcsp.getPort();
String rootRespURI = "http://localhost:" + rootOcspPort;
log("Root OCSP Responder URI is %s", rootRespURI);
// Now that we have the root keystore and OCSP responder we can
// create our end entity certificate
cbld.reset();
cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
cbld.setPublicKey(eeKP.getPublic());
cbld.setSerialNumber(new BigInteger("4096"));
// Make a 1 year validity starting from 7 days ago
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
end = start + TimeUnit.DAYS.toMillis(365);
cbld.setValidity(new Date(start), new Date(end));
// Add extensions
addCommonExts(cbld, eeKP.getPublic(), rootCaKP.getPublic());
boolean[] kuBits = {true, false, false, false, false, false,
false, false, false};
cbld.addKeyUsageExt(kuBits);
List<String> ekuOids = new ArrayList<>();
ekuOids.add("1.3.6.1.5.5.7.3.1");
ekuOids.add("1.3.6.1.5.5.7.3.2");
cbld.addExtendedKeyUsageExt(ekuOids);
cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
cbld.addAIAExt(Collections.singletonList(rootRespURI));
// Make our End Entity Cert!
eeCert = cbld.build(rootCert, rootCaKP.getPrivate(),
"SHA256withECDSA");
log("SSL Certificate Created:\n%s", certInfo(eeCert));
// Provide end entity cert revocation info to the Root CA
// OCSP responder.
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
new HashMap<>();
revInfo.put(eeCert.getSerialNumber(),
new SimpleOCSPServer.CertStatusInfo(
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
rootOcsp.updateStatusDb(revInfo);
// Now build a keystore and add the keys, chain and root cert as a TA
eeKeystore = keyStoreBuilder.getKeyStore();
Certificate[] eeChain = {eeCert, rootCert};
eeKeystore.setKeyEntry(EE_ALIAS, eeKP.getPrivate(),
passwd.toCharArray(), eeChain);
eeKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
// And finally a Trust Store for the client
trustStore = keyStoreBuilder.getKeyStore();
trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
}
private static void addCommonExts(CertificateBuilder cbld,
PublicKey subjKey, PublicKey authKey) throws IOException {
cbld.addSubjectKeyIdExt(subjKey);
cbld.addAuthorityKeyIdExt(authKey);
}
private static void addCommonCAExts(CertificateBuilder cbld)
throws IOException {
cbld.addBasicConstraintsExt(true, true, -1);
// Set key usage bits for digitalSignature, keyCertSign and cRLSign
boolean[] kuBitSettings = {true, false, false, false, false, true,
true, false, false};
cbld.addKeyUsageExt(kuBitSettings);
}
/**
* Helper routine that dumps only a few cert fields rather than
* the whole toString() output.
*
* @param cert an X509Certificate to be displayed
*
* @return the String output of the issuer, subject and
* serial number
*/
private static String certInfo(X509Certificate cert) {
StringBuilder sb = new StringBuilder();
sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
append("\n");
sb.append("Subject: ").append(cert.getSubjectX500Principal()).
append("\n");
sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
return sb.toString();
}
/**
* Log a message on stdout
*
* @param format the format string for the log entry
* @param args zero or more arguments corresponding to the format string
*/
private static void log(String format, Object ... args) {
System.out.format(format + "\n", args);
}
}
|
