1/* 2 * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24/* 25 * @test 26 * @bug 6323647 27 * @summary Verify that the SunJSSE trustmanager works correctly in FIPS mode 28 * @author Andreas Sterbenz 29 * @library .. 30 * @modules java.base/com.sun.net.ssl.internal.ssl 31 * @run main/othervm TrustManagerTest 32 * @run main/othervm TrustManagerTest sm TrustManagerTest.policy 33 */ 34 35import java.io.File; 36import java.io.FileInputStream; 37import java.io.InputStream; 38import java.security.KeyStore; 39import java.security.Policy; 40import java.security.Provider; 41import java.security.Security; 42import java.security.URIParameter; 43import java.security.cert.CertificateFactory; 44import java.security.cert.X509Certificate; 45import javax.net.ssl.TrustManagerFactory; 46import javax.net.ssl.X509TrustManager; 47 48// This test belongs more in JSSE than here, but the JSSE workspace does not 49// have the NSS test infrastructure. It will live here for the time being. 50 51public class TrustManagerTest extends SecmodTest { 52 53 public static void main(String[] args) throws Exception { 54 if (initSecmod() == false) { 55 return; 56 } 57 58 if ("sparc".equals(System.getProperty("os.arch")) == false) { 59 // we have not updated other platforms with the proper NSS libraries yet 60 System.out.println("Test currently works only on solaris-sparc, skipping"); 61 return; 62 } 63 64 String configName = BASE + SEP + "fips.cfg"; 65 Provider p = getSunPKCS11(configName); 66 67 System.out.println(p); 68 Security.addProvider(p); 69 70 Security.removeProvider("SunJSSE"); 71 Provider jsse = new com.sun.net.ssl.internal.ssl.Provider(p); 72 Security.addProvider(jsse); 73 System.out.println(jsse.getInfo()); 74 75 KeyStore ks = KeyStore.getInstance("PKCS11", p); 76 ks.load(null, "test12".toCharArray()); 77 78 X509Certificate server = loadCertificate("certs/server.cer"); 79 X509Certificate ca = loadCertificate("certs/ca.cer"); 80 X509Certificate anchor = loadCertificate("certs/anchor.cer"); 81 82 if (args.length > 1 && "sm".equals(args[0])) { 83 Policy.setPolicy(Policy.getInstance("JavaPolicy", 84 new URIParameter(new File(BASE, args[1]).toURI()))); 85 System.setSecurityManager(new SecurityManager()); 86 } 87 88 KeyStore trustStore = KeyStore.getInstance("JKS"); 89 trustStore.load(null, null); 90 trustStore.setCertificateEntry("anchor", anchor); 91 92 TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX"); 93 tmf.init(trustStore); 94 95 X509TrustManager tm = (X509TrustManager)tmf.getTrustManagers()[0]; 96 97 X509Certificate[] chain = {server, ca, anchor}; 98 99 tm.checkServerTrusted(chain, "RSA"); 100 101 System.out.println("OK"); 102 } 103 104 private static X509Certificate loadCertificate(String name) throws Exception { 105 try (InputStream in = new FileInputStream(BASE + SEP + name)) { 106 return (X509Certificate) CertificateFactory.getInstance("X.509") 107 .generateCertificate(in); 108 } 109 } 110 111} 112