changeset 12420:73eb89b0a09d

8157035: Use stronger algorithms and keys for JSSE testing Reviewed-by: coffeys Contributed-by: prasadarao.koppula@oracle.com
author coffeys
date Thu, 13 Apr 2017 14:22:03 +0100
parents 4728c13e97f1
children b77bc7c2e9ed
files test/ProblemList.txt test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java test/sun/security/ssl/etc/README test/sun/security/ssl/etc/keystore test/sun/security/ssl/etc/truststore test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
diffstat 6 files changed, 99 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/test/ProblemList.txt	Wed Apr 12 09:03:31 2017 -0700
+++ b/test/ProblemList.txt	Thu Apr 13 14:22:03 2017 +0100
@@ -298,6 +298,8 @@
 # 8151834
 sun/security/mscapi/SmallPrimeExponentP.java                    windows-i586
 
+#8176354 
+sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java     generic-all
 ############################################################################
 
 # jdk_sound
--- a/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Wed Apr 12 09:03:31 2017 -0700
+++ b/test/javax/net/ssl/ciphersuites/DisabledAlgorithms.java	Thu Apr 13 14:22:03 2017 +0100
@@ -38,11 +38,10 @@
 
 /**
  * @test
- * @bug 8076221
+ * @bug 8076221 8157035
  * @summary Check if weak cipher suites are disabled
  * @run main/othervm DisabledAlgorithms default
- * @run main/othervm -Djdk.tls.namedGroups="secp256r1,secp192r1"
- *     DisabledAlgorithms empty
+ * @run main/othervm DisabledAlgorithms empty
  */
 public class DisabledAlgorithms {
 
@@ -98,11 +97,6 @@
                 System.out.println("jdk.tls.disabledAlgorithms = "
                         + Security.getProperty("jdk.tls.disabledAlgorithms"));
 
-                // some of the certs in our test are weak; disable
-                Security.setProperty("jdk.certpath.disabledAlgorithms", "");
-                System.out.println("jdk.certpath.disabledAlgorithms = "
-                        + Security.getProperty("jdk.cerpath.disabledAlgorithms"));
-
                 // check if RC4 cipher suites can be used
                 // if jdk.tls.disabledAlgorithms is empty
                 checkSuccess(rc4_ciphersuites);
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/etc/README	Thu Apr 13 14:22:03 2017 +0100
@@ -0,0 +1,94 @@
+Keystores used for the JSSE regression test suite.
+
+keystore
+truststore
+==========
+
+These are the primary two keystores and contain entries for testing most
+of the JSSE regression test files.  There are three entries, one RSA-based,
+one DSA-based and one EC-based.  If they expire, simply recreate them
+using keytool and most of the test cases should work.
+
+The password on both files is:
+
+    passphrase
+
+There are no individual key entry passwords at this time.
+
+
+keystore entries
+================
+
+Alias name: dummy
+-----------------
+Creation date: May 16, 2016
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 57399b87
+Valid from: Mon May 16 10:06:38 UTC 2016 until: Sat May 16 10:06:38 UTC 2026
+Signature algorithm name: SHA256withRSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg RSA -keysize 2048 \
+  -sigalg SHA256withRSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+
+Alias name: dummyecdsa
+----------------------
+Creation date: May 16, 2016
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 57399c1d
+Valid from: Mon May 16 10:09:01 UTC 2016 until: Sat May 16 10:09:01 UTC 2026
+Signature algorithm name: SHA256withECDSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg EC -keysize 256 \
+  -sigalg SHA256withECDSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+Alias name: dummydsa
+--------------------
+Creation date: Mar 11, 2007
+Entry type: PrivateKeyEntry
+Certificate chain length: 1
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 45f3a314
+Valid from: Sun Mar 11 06:35:00 UTC 2007 until: Wed Mar 08 06:35:00 UTC 2017
+Certificate fingerprints:
+Signature algorithm name: SHA1withDSA
+Version: 1
+
+This can be generated using hacked (update the keytool source code so that
+it can be used for version 1 X.509 certificate) keytool command:
+% keytool -genkeypair -alias dummy -keyalg DSA -keysize 1024 \
+  -sigalg SHA1withDSA \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
+  -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
+
+
+truststore entries
+==================
+This key store contains only trusted certificate entries.  The same
+certificates are used in both keystore and truststore.
+
+
+unknown_keystore
+================
+A keystore you can use when you don't want things to be verified.
+Use this with keystore/truststore, and you'll never get a match.
Binary file test/sun/security/ssl/etc/keystore has changed
Binary file test/sun/security/ssl/etc/truststore has changed
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Wed Apr 12 09:03:31 2017 -0700
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Thu Apr 13 14:22:03 2017 +0100
@@ -26,8 +26,7 @@
  * @bug 4496785
  * @summary Verify that all ciphersuites work in all configurations
  * @author Andreas Sterbenz
- * @run main/othervm/timeout=300 -Djdk.tls.namedGroups="secp256r1,secp192r1"
- *      ClientJSSEServerJSSE
+ * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 
 import java.security.Security;