private CipherTest(PeerFactory peerFactory) throws IOException {
THREADS = Integer.parseInt(System.getProperty("numThreads", "4"));
factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket();
String[] cipherSuites = socket.getSupportedCipherSuites();
String[] protocols = socket.getSupportedProtocols();
// String[] clientAuths = {null, "RSA", "DSA"};
String[] clientAuths = {null};
tests =
new ArrayList<TestParameters>(cipherSuites.length * protocols.length * clientAuths.length);
for (int i = 0; i < cipherSuites.length; i++) {
String cipherSuite = cipherSuites[i];
for (int j = 0; j < protocols.length; j++) {
String protocol = protocols[j];
if (!peerFactory.isSupported(cipherSuite, protocol)) {
continue;
}
for (int k = 0; k < clientAuths.length; k++) {
String clientAuth = clientAuths[k];
if ((clientAuth != null) && (cipherSuite.indexOf("DH_anon") != -1)) {
// no client with anonymous ciphersuites
continue;
}
tests.add(new TestParameters(cipherSuite, protocol, clientAuth));
}
}
}
testIterator = tests.iterator();
}
/**
* Check if the certificate allows use of the given DNS name.
*
* <p>From RFC2818: If a subjectAltName extension of type dNSName is present, that MUST be used as
* the identity. Otherwise, the (most specific) Common Name field in the Subject field of the
* certificate MUST be used. Although the use of the Common Name is existing practice, it is
* deprecated and Certification Authorities are encouraged to use the dNSName instead.
*
* <p>Matching is performed using the matching rules specified by [RFC2459]. If more than one
* identity of a given type is present in the certificate (e.g., more than one dNSName name, a
* match in any one of the set is considered acceptable.)
*/
private void matchDNS(String expectedName, X509Certificate cert) throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames != null) {
boolean foundDNS = false;
for (List<?> next : subjAltNames) {
if (((Integer) next.get(0)).intValue() == ALTNAME_DNS) {
foundDNS = true;
String dnsName = (String) next.get(1);
if (isMatched(expectedName, dnsName)) {
return;
}
}
}
if (foundDNS) {
// if certificate contains any subject alt names of type DNS
// but none match, reject
throw new CertificateException(
"No subject alternative DNS " + "name matching " + expectedName + " found.");
}
}
X500Name subjectName = getSubjectX500Name(cert);
DerValue derValue = subjectName.findMostSpecificAttribute(X500Name.commonName_oid);
if (derValue != null) {
try {
if (isMatched(expectedName, derValue.getAsString())) {
return;
}
} catch (IOException e) {
// ignore
}
}
String msg = "No name matching " + expectedName + " found";
throw new CertificateException(msg);
}
private ConditionalPermissionInfo setConditionalPermissionInfo(
String name, ConditionInfo[] conds, PermissionInfo[] perms, boolean firstTry) {
ConditionalPermissionUpdate update = newConditionalPermissionUpdate();
List rows = update.getConditionalPermissionInfos();
ConditionalPermissionInfo newInfo =
newConditionalPermissionInfo(name, conds, perms, ConditionalPermissionInfo.ALLOW);
int index = -1;
if (name != null) {
for (int i = 0; i < rows.size() && index < 0; i++) {
ConditionalPermissionInfo info = (ConditionalPermissionInfo) rows.get(i);
if (name.equals(info.getName())) {
index = i;
}
}
}
if (index < 0) {
// must always add to the beginning (bug 303930)
rows.add(0, newInfo);
index = 0;
} else {
rows.set(index, newInfo);
}
synchronized (lock) {
if (!update.commit()) {
if (firstTry)
// try again
setConditionalPermissionInfo(name, conds, perms, false);
}
return condAdminTable.getRow(index);
}
}
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
throws CertificateException {
List list = path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert == null) {
throw new ValidatorException("TrustAnchor must be specified as certificate");
}
chain[chain.length - 1] = trustedCert;
return chain;
}
/**
* Check if the certificate allows use of the given IP address.
*
* <p>From RFC2818: In some cases, the URI is specified as an IP address rather than a hostname.
* In this case, the iPAddress subjectAltName must be present in the certificate and must exactly
* match the IP in the URI.
*/
private static void matchIP(String expectedIP, X509Certificate cert) throws CertificateException {
Collection<List<?>> subjAltNames = cert.getSubjectAlternativeNames();
if (subjAltNames == null) {
throw new CertificateException("No subject alternative names present");
}
for (List<?> next : subjAltNames) {
// For IP address, it needs to be exact match
if (((Integer) next.get(0)).intValue() == ALTNAME_IP) {
String ipAddress = (String) next.get(1);
if (expectedIP.equalsIgnoreCase(ipAddress)) {
return;
}
}
}
throw new CertificateException(
"No subject alternative " + "names matching " + "IP address " + expectedIP + " found");
}
void delete(SecurityRow securityRow, boolean firstTry) {
ConditionalPermissionUpdate update = newConditionalPermissionUpdate();
List rows = update.getConditionalPermissionInfos();
for (Iterator iRows = rows.iterator(); iRows.hasNext(); ) {
ConditionalPermissionInfo info = (ConditionalPermissionInfo) iRows.next();
if (securityRow.getName().equals(info.getName())) {
iRows.remove();
synchronized (lock) {
if (!update.commit()) {
if (firstTry)
// try again
delete(securityRow, false);
}
}
break;
}
}
}
private static Bundle createMockBundle(String[] signers) {
Map /* <X509Certificate, List<X509Certificate>> */ signersMap = new HashMap();
for (int i = 0; i < signers.length; i++) {
List chain = parseDNchain(signers[i]);
List /* <X509Certificate> */ signersList = new ArrayList();
Principal subject = null, issuer = null;
X509Certificate first = null;
for (Iterator iChain = chain.iterator(); iChain.hasNext(); ) {
subject = issuer == null ? new MockPrincipal((String) iChain.next()) : issuer;
issuer = iChain.hasNext() ? new MockPrincipal((String) iChain.next()) : subject;
X509Certificate cert = new MockX509Certificate(subject, issuer);
if (first == null) first = cert;
signersList.add(cert);
}
if (subject != issuer) signersList.add(new MockX509Certificate(issuer, issuer));
signersMap.put(first, signersList);
}
return new MockBundle(signersMap);
}
boolean commit(List rows, long updateStamp) {
checkAllPermission();
synchronized (lock) {
if (updateStamp != timeStamp) return false;
SecurityRow[] newRows = new SecurityRow[rows.size()];
Collection names = new ArrayList();
for (int i = 0; i < newRows.length; i++) {
Object rowObj = rows.get(i);
if (!(rowObj instanceof ConditionalPermissionInfo))
throw new IllegalStateException(
"Invalid type \""
+ rowObj.getClass().getName()
+ "\" at row: "
+ i); //$NON-NLS-1$//$NON-NLS-2$
ConditionalPermissionInfo infoBaseRow = (ConditionalPermissionInfo) rowObj;
String name = infoBaseRow.getName();
if (name == null) name = generateName();
if (names.contains(name))
throw new IllegalStateException(
"Duplicate name \"" + name + "\" at row: " + i); // $NON-NLS-1$//$NON-NLS-2$
newRows[i] =
new SecurityRow(
this,
name,
infoBaseRow.getConditionInfos(),
infoBaseRow.getPermissionInfos(),
infoBaseRow.getAccessDecision());
}
condAdminTable = new SecurityTable(this, newRows);
try {
permissionStorage.saveConditionalPermissionInfos(condAdminTable.getEncodedRows());
} catch (IOException e) {
// TODO log
e.printStackTrace();
}
timeStamp += 1;
return true;
}
}
private void initCommon() {
if (TRY_VALIDATOR == false) {
return;
}
trustedSubjects = new HashMap<X500Principal, List<PublicKey>>();
for (Iterator t = trustedCerts.iterator(); t.hasNext(); ) {
X509Certificate cert = (X509Certificate) t.next();
X500Principal dn = cert.getSubjectX500Principal();
List<PublicKey> keys;
if (trustedSubjects.containsKey(dn)) {
keys = trustedSubjects.get(dn);
} else {
keys = new ArrayList<PublicKey>();
trustedSubjects.put(dn, keys);
}
keys.add(cert.getPublicKey());
}
try {
factory = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new RuntimeException("Internal error", e);
}
plugin = variant.equals(VAR_PLUGIN_CODE_SIGNING);
}
/**
* Callback method from _scanKeychain. If an identity is found, this method will be called to
* create Java certificate and private key objects from the keychain data.
*/
private void createKeyEntry(
String alias,
long creationDate,
long secKeyRef,
long[] secCertificateRefs,
byte[][] rawCertData)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException {
KeyEntry ke = new KeyEntry();
// First, store off the private key information. This is the easy part.
ke.protectedPrivKey = null;
ke.keyRef = secKeyRef;
// Make a creation date.
if (creationDate != 0) ke.date = new Date(creationDate);
else ke.date = new Date();
// Next, create X.509 Certificate objects from the raw data. This is complicated
// because a certificate's public key may be too long for Java's default encryption strength.
List<CertKeychainItemPair> createdCerts = new ArrayList<>();
try {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (int i = 0; i < rawCertData.length; i++) {
try {
InputStream input = new ByteArrayInputStream(rawCertData[i]);
X509Certificate cert = (X509Certificate) cf.generateCertificate(input);
input.close();
// We successfully created the certificate, so track it and its corresponding
// SecCertificateRef.
createdCerts.add(new CertKeychainItemPair(secCertificateRefs[i], cert));
} catch (CertificateException e) {
// The certificate will be skipped.
System.err.println("KeychainStore Ignored Exception: " + e);
}
}
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace(); // How would this happen?
}
// We have our certificates in the List, so now extract them into an array of
// Certificates and SecCertificateRefs.
CertKeychainItemPair[] objArray = createdCerts.toArray(new CertKeychainItemPair[0]);
Certificate[] certArray = new Certificate[objArray.length];
long[] certRefArray = new long[objArray.length];
for (int i = 0; i < objArray.length; i++) {
CertKeychainItemPair addedItem = objArray[i];
certArray[i] = addedItem.mCert;
certRefArray[i] = addedItem.mCertificateRef;
}
ke.chain = certArray;
ke.chainRefs = certRefArray;
// If we don't have already have an item with this item's alias
// create a new one for it.
int uniqueVal = 1;
String originalAlias = alias;
while (entries.containsKey(alias.toLowerCase())) {
alias = originalAlias + " " + uniqueVal;
uniqueVal++;
}
entries.put(alias.toLowerCase(), ke);
}
