1 // 2 // Copyright (c) ZeroC, Inc. All rights reserved. 3 // 4 5 package test.IceSSL.configuration; 6 import java.io.PrintWriter; 7 8 import test.IceSSL.configuration.Test.ServerFactoryPrx; 9 import test.IceSSL.configuration.Test.ServerFactoryPrxHelper; 10 import test.IceSSL.configuration.Test.ServerPrx; 11 12 // 13 // NOTE: This test is not interoperable with other language mappings. 14 // 15 16 public class AllTests 17 { 18 private static void test(boolean b)19 test(boolean b) 20 { 21 if(!b) 22 { 23 throw new RuntimeException(); 24 } 25 } 26 27 private static java.security.cert.X509Certificate loadCertificate(String path, String alias)28 loadCertificate(String path, String alias) 29 { 30 try 31 { 32 java.security.KeyStore keystore = java.security.KeyStore.getInstance("JKS"); 33 keystore.load(new java.io.FileInputStream(path), "password".toCharArray()); 34 return (java.security.cert.X509Certificate)keystore.getCertificate(alias); 35 } 36 catch(Exception ex) 37 { 38 test(false); 39 return null; 40 } 41 } 42 43 private static Ice.InitializationData createClientProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost)44 createClientProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost) 45 { 46 Ice.InitializationData initData = new Ice.InitializationData(); 47 initData.properties = Ice.Util.createProperties(); 48 initData.properties.setProperty("Ice.Plugin.IceSSL", "IceSSL.PluginFactory"); 49 if(defaultProperties.getProperty("Ice.IPv6").length() > 0) 50 { 51 initData.properties.setProperty("Ice.IPv6", defaultProperties.getProperty("Ice.IPv6")); 52 } 53 initData.properties.setProperty("Ice.RetryIntervals", "-1"); 54 initData.properties.setProperty("IceSSL.DefaultDir", defaultDir); 55 initData.properties.setProperty("IceSSL.Random", "seed.dat"); 56 if(defaultHost.length() > 0) 57 { 58 initData.properties.setProperty("Ice.Default.Host", defaultHost); 59 } 60 return initData; 61 } 62 63 private static Ice.InitializationData createClientProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost, String ks, String ts)64 createClientProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost, String ks, String ts) 65 { 66 Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); 67 if(!ks.isEmpty()) 68 { 69 initData.properties.setProperty("IceSSL.Keystore", ks + ".jks"); 70 } 71 if(!ts.isEmpty()) 72 { 73 initData.properties.setProperty("IceSSL.Truststore", ts + ".jks"); 74 } 75 initData.properties.setProperty("IceSSL.Password", "password"); 76 return initData; 77 } 78 79 private static java.util.Map<String, String> createServerProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost)80 createServerProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost) 81 { 82 java.util.Map<String, String> result = new java.util.HashMap<String, String>(); 83 result.put("Ice.Plugin.IceSSL", "IceSSL.PluginFactory"); 84 if(defaultProperties.getProperty("Ice.IPv6").length() > 0) 85 { 86 result.put("Ice.IPv6", defaultProperties.getProperty("Ice.IPv6")); 87 } 88 result.put("IceSSL.DefaultDir", defaultDir); 89 result.put("IceSSL.Random", "seed.dat"); 90 if(defaultHost.length() > 0) 91 { 92 result.put("Ice.Default.Host", defaultHost); 93 } 94 return result; 95 } 96 97 private static java.util.Map<String, String> createServerProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost, String ks, String ts)98 createServerProps(Ice.Properties defaultProperties, String defaultDir, String defaultHost, String ks, String ts) 99 { 100 java.util.Map<String, String> d = createServerProps(defaultProperties, defaultDir, defaultHost); 101 if(!ks.isEmpty()) 102 { 103 d.put("IceSSL.Keystore", ks + ".jks"); 104 } 105 if(!ts.isEmpty()) 106 { 107 d.put("IceSSL.Truststore", ts + ".jks"); 108 } 109 d.put("IceSSL.Password", "password"); 110 return d; 111 } 112 113 public static ServerFactoryPrx allTests(test.TestHelper helper, String testDir)114 allTests(test.TestHelper helper, String testDir) 115 { 116 Ice.Communicator communicator = helper.communicator(); 117 PrintWriter out = helper.getWriter(); 118 119 final String factoryRef = "factory:" + helper.getTestEndpoint(0, "tcp"); 120 Ice.ObjectPrx b = communicator.stringToProxy(factoryRef); 121 test(b != null); 122 ServerFactoryPrx factory = ServerFactoryPrxHelper.checkedCast(b); 123 124 final String defaultHost = communicator.getProperties().getProperty("Ice.Default.Host"); 125 final String defaultDir = testDir + "/../certs"; 126 final Ice.Properties defaultProperties = communicator.getProperties(); 127 final String[] args = new String[0]; 128 129 out.print("testing manual initialization... "); 130 out.flush(); 131 { 132 Ice.InitializationData initData = createClientProps(defaultProperties, defaultDir, defaultHost); 133 initData.properties.setProperty("Ice.InitPlugins", "0"); 134 Ice.Communicator comm = Ice.Util.initialize(args, initData); 135 Ice.ObjectPrx p = comm.stringToProxy("dummy:ssl -p 9999"); 136 try 137 { 138 p.ice_ping(); 139 test(false); 140 } 141 catch(Ice.PluginInitializationException ex) 142 { 143 // Expected. 144 } 145 catch(Ice.LocalException ex) 146 { 147 ex.printStackTrace(); 148 test(false); 149 } 150 comm.destroy(); 151 } 152 out.println("ok"); 153 154 out.print("testing certificate verification... "); 155 out.flush(); 156 { 157 java.util.Map<String, String> d; 158 Ice.InitializationData initData; 159 160 // 161 // Test IceSSL.VerifyPeer=0. Client does not have a certificate, 162 // and it doesn't trust the server certificate. 163 // 164 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", ""); 165 initData.properties.setProperty("IceSSL.VerifyPeer", "0"); 166 Ice.Communicator comm = Ice.Util.initialize(args, initData); 167 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 168 test(fact != null); 169 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 170 d.put("IceSSL.VerifyPeer", "0"); 171 ServerPrx server = fact.createServer(d); 172 try 173 { 174 server.noCert(); 175 test(!((IceSSL.ConnectionInfo)server.ice_getConnection().getInfo()).verified); 176 } 177 catch(Ice.LocalException ex) 178 { 179 ex.printStackTrace(); 180 test(false); 181 } 182 fact.destroyServer(server); 183 comm.destroy(); 184 185 // 186 // Test IceSSL.VerifyPeer=0. Client does not have a certificate, 187 // but it still verifies the server's. 188 // 189 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 190 comm = Ice.Util.initialize(args, initData); 191 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 192 test(fact != null); 193 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 194 d.put("IceSSL.VerifyPeer", "0"); 195 server = fact.createServer(d); 196 try 197 { 198 server.noCert(); 199 test(((IceSSL.ConnectionInfo)server.ice_getConnection().getInfo()).verified); 200 } 201 catch(Ice.LocalException ex) 202 { 203 ex.printStackTrace(); 204 test(false); 205 } 206 fact.destroyServer(server); 207 208 // 209 // Test IceSSL.VerifyPeer=1. Client does not have a certificate. 210 // 211 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 212 comm = Ice.Util.initialize(args, initData); 213 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 214 test(fact != null); 215 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 216 d.put("IceSSL.VerifyPeer", "1"); 217 server = fact.createServer(d); 218 try 219 { 220 server.noCert(); 221 } 222 catch(Ice.LocalException ex) 223 { 224 ex.printStackTrace(); 225 test(false); 226 } 227 fact.destroyServer(server); 228 229 // 230 // Test IceSSL.VerifyPeer=2. This should fail because the client 231 // does not supply a certificate. 232 // 233 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 234 d.put("IceSSL.VerifyPeer", "2"); 235 server = fact.createServer(d); 236 try 237 { 238 server.ice_ping(); 239 test(false); 240 } 241 catch(Ice.SecurityException ex) 242 { 243 // Expected. 244 } 245 catch(Ice.ConnectionLostException ex) 246 { 247 // Expected. 248 } 249 catch(Ice.LocalException ex) 250 { 251 ex.printStackTrace(); 252 test(false); 253 } 254 fact.destroyServer(server); 255 256 comm.destroy(); 257 258 // 259 // Test IceSSL.VerifyPeer=1. Client has a certificate. 260 // 261 // Provide "cacert1" to the client to verify the server 262 // certificate (without this the client connection wouln't be 263 // able to provide the certificate chain). 264 // 265 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 266 comm = Ice.Util.initialize(args, initData); 267 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 268 test(fact != null); 269 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 270 d.put("IceSSL.VerifyPeer", "1"); 271 server = fact.createServer(d); 272 try 273 { 274 java.security.cert.X509Certificate clientCert = loadCertificate(defaultDir + "/c_rsa_ca1.jks", "cert"); 275 server.checkCert(clientCert.getSubjectDN().toString(), clientCert.getIssuerDN().toString()); 276 277 java.security.cert.X509Certificate serverCert = loadCertificate(defaultDir + "/s_rsa_ca1.jks", "cert"); 278 java.security.cert.X509Certificate caCert = loadCertificate(defaultDir + "/cacert1.jks", "ca"); 279 280 IceSSL.ConnectionInfo info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 281 282 test(info.certs.length == 2); 283 test(info.verified); 284 285 test(caCert.equals(info.certs[1])); 286 test(serverCert.equals(info.certs[0])); 287 } 288 catch(Exception ex) 289 { 290 ex.printStackTrace(); 291 test(false); 292 } 293 fact.destroyServer(server); 294 295 // 296 // Test IceSSL.VerifyPeer=2. Client has a certificate. 297 // 298 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 299 d.put("IceSSL.VerifyPeer", "2"); 300 server = fact.createServer(d); 301 try 302 { 303 java.security.cert.X509Certificate clientCert = loadCertificate(defaultDir + "/c_rsa_ca1.jks", "cert"); 304 server.checkCert(clientCert.getSubjectDN().toString(), clientCert.getIssuerDN().toString()); 305 } 306 catch(Exception ex) 307 { 308 ex.printStackTrace(); 309 test(false); 310 } 311 fact.destroyServer(server); 312 313 comm.destroy(); 314 315 // 316 // Test IceSSL.VerifyPeer=1. This should fail because the 317 // client doesn't trust the server's CA. 318 // 319 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", ""); 320 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 321 comm = Ice.Util.initialize(args, initData); 322 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 323 test(fact != null); 324 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 325 d.put("IceSSL.VerifyPeer", "0"); 326 server = fact.createServer(d); 327 try 328 { 329 server.ice_ping(); 330 test(false); 331 } 332 catch(Ice.SecurityException ex) 333 { 334 // Expected. 335 } 336 catch(Ice.LocalException ex) 337 { 338 ex.printStackTrace(); 339 test(false); 340 } 341 fact.destroyServer(server); 342 343 comm.destroy(); 344 345 // 346 // Test IceSSL.VerifyPeer=1. This should fail because the 347 // server doesn't trust the client's CA. 348 // 349 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca2", ""); 350 initData.properties.setProperty("IceSSL.VerifyPeer", "0"); 351 comm = Ice.Util.initialize(args, initData); 352 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 353 test(fact != null); 354 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 355 d.put("IceSSL.VerifyPeer", "1"); 356 server = fact.createServer(d); 357 try 358 { 359 server.ice_ping(); 360 test(false); 361 } 362 catch(Ice.SecurityException ex) 363 { 364 // Expected. 365 } 366 catch(Ice.ConnectionLostException ex) 367 { 368 // Expected. 369 } 370 catch(Ice.LocalException ex) 371 { 372 ex.printStackTrace(); 373 test(false); 374 } 375 fact.destroyServer(server); 376 comm.destroy(); 377 378 // 379 // This should succeed because the self signed certificate used by the server is 380 // trusted. 381 // 382 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert2"); 383 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 384 comm = Ice.Util.initialize(args, initData); 385 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 386 test(fact != null); 387 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_cacert2", ""); 388 d.put("IceSSL.VerifyPeer", "0"); 389 server = fact.createServer(d); 390 try 391 { 392 server.ice_ping(); 393 } 394 catch(Ice.LocalException ex) 395 { 396 ex.printStackTrace(); 397 test(false); 398 } 399 fact.destroyServer(server); 400 comm.destroy(); 401 402 // 403 // This should fail because the self signed certificate used by the server is not 404 // trusted. 405 // 406 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 407 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 408 comm = Ice.Util.initialize(args, initData); 409 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 410 test(fact != null); 411 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_cacert2", ""); 412 d.put("IceSSL.VerifyPeer", "0"); 413 server = fact.createServer(d); 414 try 415 { 416 server.ice_ping(); 417 test(false); 418 } 419 catch(Ice.SecurityException ex) 420 { 421 // Expected. 422 } 423 catch(Ice.LocalException ex) 424 { 425 ex.printStackTrace(); 426 test(false); 427 } 428 fact.destroyServer(server); 429 comm.destroy(); 430 431 // 432 // Verify that IceSSL.CheckCertName has no effect in a server. 433 // 434 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 435 comm = Ice.Util.initialize(args, initData); 436 437 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 438 test(fact != null); 439 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 440 d.put("IceSSL.CheckCertName", "1"); 441 server = fact.createServer(d); 442 try 443 { 444 server.ice_ping(); 445 } 446 catch(Ice.LocalException ex) 447 { 448 ex.printStackTrace(); 449 test(false); 450 } 451 fact.destroyServer(server); 452 comm.destroy(); 453 454 // 455 // Test Hostname verification only when Ice.DefaultHost is 127.0.0.1 456 // as that is the IP address used in the test certificates. 457 // 458 if(defaultHost.equals("127.0.0.1")) 459 { 460 // 461 // Test using localhost as target host 462 // 463 464 // 465 // Target host matches the certificate DNS altName 466 // 467 { 468 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 469 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 470 comm = Ice.Util.initialize(args, initData); 471 472 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 473 test(fact != null); 474 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn1", "cacert1"); 475 server = fact.createServer(d); 476 try 477 { 478 server.ice_ping(); 479 } 480 catch(Ice.LocalException ex) 481 { 482 ex.printStackTrace(); 483 test(false); 484 } 485 fact.destroyServer(server); 486 comm.destroy(); 487 } 488 489 // 490 // Target host does not match the certificate DNS altName 491 // 492 { 493 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 494 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 495 comm = Ice.Util.initialize(args, initData); 496 497 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 498 test(fact != null); 499 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1"); 500 server = fact.createServer(d); 501 try 502 { 503 server.ice_ping(); 504 test(false); 505 } 506 catch(Ice.SecurityException ex) 507 { 508 // Expected 509 } 510 fact.destroyServer(server); 511 comm.destroy(); 512 } 513 514 // 515 // Target host matches the certificate Common Name and the certificate does not 516 // include a DNS altName 517 // 518 { 519 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 520 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 521 comm = Ice.Util.initialize(args, initData); 522 523 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 524 test(fact != null); 525 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn3", "cacert1"); 526 server = fact.createServer(d); 527 try 528 { 529 server.ice_ping(); 530 } 531 catch(Ice.LocalException ex) 532 { 533 ex.printStackTrace(); 534 test(false); 535 } 536 fact.destroyServer(server); 537 comm.destroy(); 538 } 539 540 // 541 // Target host does not match the certificate Common Name and the certificate does not 542 // include a DNS altName 543 // 544 { 545 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 546 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 547 comm = Ice.Util.initialize(args, initData); 548 549 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 550 test(fact != null); 551 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn4", "cacert1"); 552 server = fact.createServer(d); 553 try 554 { 555 server.ice_ping(); 556 test(false); 557 } 558 catch(Ice.SecurityException ex) 559 { 560 // Expected 561 } 562 fact.destroyServer(server); 563 comm.destroy(); 564 } 565 566 // 567 // Target host matches the certificate Common Name and the certificate has 568 // a DNS altName that does not matches the target host 569 // 570 { 571 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 572 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 573 comm = Ice.Util.initialize(args, initData); 574 575 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 576 test(fact != null); 577 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn5", "cacert1"); 578 server = fact.createServer(d); 579 try 580 { 581 server.ice_ping(); 582 test(false); 583 } 584 catch(Ice.SecurityException ex) 585 { 586 // Expected 587 } 588 fact.destroyServer(server); 589 comm.destroy(); 590 } 591 592 // 593 // Test using 127.0.0.1 as target host 594 // 595 596 // 597 // Target host matches the certificate IP altName 598 // 599 { 600 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 601 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 602 comm = Ice.Util.initialize(args, initData); 603 604 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 605 test(fact != null); 606 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn6", "cacert1"); 607 server = fact.createServer(d); 608 try 609 { 610 server.ice_ping(); 611 } 612 catch(Ice.LocalException ex) 613 { 614 ex.printStackTrace(); 615 test(false); 616 } 617 fact.destroyServer(server); 618 comm.destroy(); 619 } 620 621 // 622 // Target host does not match the certificate IP altName 623 // 624 { 625 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 626 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 627 comm = Ice.Util.initialize(args, initData); 628 629 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 630 test(fact != null); 631 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn7", "cacert1"); 632 server = fact.createServer(d); 633 try 634 { 635 server.ice_ping(); 636 test(false); 637 } 638 catch(Ice.SecurityException ex) 639 { 640 // Expected 641 } 642 fact.destroyServer(server); 643 comm.destroy(); 644 } 645 646 // 647 // Target host is an IP addres that matches the CN and the certificate doesn't 648 // include an IP altName 649 // 650 { 651 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 652 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 653 comm = Ice.Util.initialize(args, initData); 654 655 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 656 test(fact != null); 657 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_cn8", "cacert1"); 658 server = fact.createServer(d); 659 try 660 { 661 server.ice_ping(); 662 test(false); 663 } 664 catch(Ice.SecurityException ex) 665 { 666 // Expected 667 } 668 fact.destroyServer(server); 669 comm.destroy(); 670 } 671 672 // 673 // Target host does not match the certificate DNS altName, connection should succeed 674 // because IceSSL.VerifyPeer is set to 0. 675 // 676 { 677 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 678 initData.properties.setProperty("IceSSL.CheckCertName", "1"); 679 initData.properties.setProperty("IceSSL.VerifyPeer", "0"); 680 comm = Ice.Util.initialize(args, initData); 681 682 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 683 test(fact != null); 684 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1"); 685 server = fact.createServer(d); 686 try 687 { 688 server.ice_ping(); 689 } 690 catch(Ice.LocalException ex) 691 { 692 ex.printStackTrace(); 693 test(false); 694 } 695 fact.destroyServer(server); 696 comm.destroy(); 697 } 698 699 // 700 // Target host does not match the certificate DNS altName, connection should succeed 701 // because IceSSL.CheckCertName is set to 0. 702 // 703 { 704 initData = createClientProps(defaultProperties, defaultDir, "localhost", "c_rsa_ca1", "cacert1"); 705 initData.properties.setProperty("IceSSL.CheckCertName", "0"); 706 comm = Ice.Util.initialize(args, initData); 707 708 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 709 test(fact != null); 710 d = createServerProps(defaultProperties, defaultDir, "localhost", "s_rsa_ca1_cn2", "cacert1"); 711 server = fact.createServer(d); 712 try 713 { 714 server.ice_ping(); 715 } 716 catch(Ice.LocalException ex) 717 { 718 ex.printStackTrace(); 719 test(false); 720 } 721 fact.destroyServer(server); 722 comm.destroy(); 723 } 724 } 725 } 726 out.println("ok"); 727 728 Ice.InitializationData initData; 729 java.util.Map<String, String> d; 730 731 out.print("testing certificate chains... "); 732 out.flush(); 733 { 734 IceSSL.ConnectionInfo info; 735 736 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", ""); 737 initData.properties.setProperty("IceSSL.VerifyPeer", "0"); 738 Ice.Communicator comm = Ice.Util.initialize(initData); 739 740 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 741 test(fact != null); 742 743 // 744 // The client can't verify the server certificate but it should 745 // still provide it. "s_rsa_ca1" doesn't include the root so the 746 // cert size should be 1. 747 // 748 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 749 d.put("IceSSL.VerifyPeer", "0"); 750 ServerPrx server = fact.createServer(d); 751 try 752 { 753 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 754 test(info.certs.length == 1); 755 test(!info.verified); 756 } 757 catch(Ice.LocalException ex) 758 { 759 ex.printStackTrace(); 760 test(false); 761 } 762 fact.destroyServer(server); 763 764 // 765 // Setting the CA for the server shouldn't change anything, it 766 // shouldn't modify the cert chain sent to the client. 767 // 768 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 769 d.put("IceSSL.VerifyPeer", "0"); 770 server = fact.createServer(d); 771 try 772 { 773 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 774 test(info.certs.length == 1); 775 test(!info.verified); 776 } 777 catch(Ice.LocalException ex) 778 { 779 ex.printStackTrace(); 780 test(false); 781 } 782 fact.destroyServer(server); 783 784 // 785 // The client can't verify the server certificate but should 786 // still provide it. "s_rsa_wroot_ca1" includes the root so 787 // the cert size should be 2. 788 // 789 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_wroot_ca1", ""); 790 d.put("IceSSL.VerifyPeer", "0"); 791 server = fact.createServer(d); 792 try 793 { 794 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 795 test(info.certs.length == 2); 796 } 797 catch(Ice.LocalException ex) 798 { 799 ex.printStackTrace(); 800 test(false); 801 } 802 fact.destroyServer(server); 803 comm.destroy(); 804 805 // 806 // Now the client verifies the server certificate 807 // 808 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 809 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 810 comm = Ice.Util.initialize(initData); 811 812 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 813 test(fact != null); 814 815 { 816 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", ""); 817 d.put("IceSSL.VerifyPeer", "0"); 818 server = fact.createServer(d); 819 try 820 { 821 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 822 test(info.certs.length == 2); 823 test(info.verified); 824 } 825 catch(Ice.LocalException ex) 826 { 827 ex.printStackTrace(); 828 test(false); 829 } 830 fact.destroyServer(server); 831 } 832 833 comm.destroy(); 834 835 // 836 // Try certificate with one intermediate and VerifyDepthMax=2 837 // 838 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 839 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 840 initData.properties.setProperty("IceSSL.VerifyDepthMax", "2"); 841 comm = Ice.Util.initialize(initData); 842 843 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 844 test(fact != null); 845 846 { 847 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai1", ""); 848 d.put("IceSSL.VerifyPeer", "0"); 849 server = fact.createServer(d); 850 try 851 { 852 server.ice_getConnection().getInfo(); 853 test(false); 854 } 855 catch(Ice.SecurityException ex) 856 { 857 // Chain length too long 858 } 859 catch(Ice.LocalException ex) 860 { 861 ex.printStackTrace(); 862 test(false); 863 } 864 fact.destroyServer(server); 865 } 866 comm.destroy(); 867 868 // 869 // Try with VerifyDepthMax to 3 (the default) 870 // 871 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 872 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 873 //initData.properties.setProperty("IceSSL.VerifyDepthMax", "3"); 874 comm = Ice.Util.initialize(initData); 875 876 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 877 test(fact != null); 878 879 { 880 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai1", ""); 881 d.put("IceSSL.VerifyPeer", "0"); 882 server = fact.createServer(d); 883 try 884 { 885 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 886 test(info.certs.length == 3); 887 test(info.verified); 888 } 889 catch(Ice.LocalException ex) 890 { 891 ex.printStackTrace(); 892 test(false); 893 } 894 fact.destroyServer(server); 895 } 896 897 { 898 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai2", ""); 899 d.put("IceSSL.VerifyPeer", "0"); 900 server = fact.createServer(d); 901 try 902 { 903 server.ice_getConnection().getInfo(); 904 test(false); 905 } 906 catch(Ice.SecurityException ex) 907 { 908 // Chain length too long 909 } 910 fact.destroyServer(server); 911 } 912 comm.destroy(); 913 914 // 915 // Increase VerifyDepthMax to 4 916 // 917 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "", "cacert1"); 918 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 919 initData.properties.setProperty("IceSSL.VerifyDepthMax", "4"); 920 comm = Ice.Util.initialize(initData); 921 922 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 923 test(fact != null); 924 925 { 926 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai2", ""); 927 d.put("IceSSL.VerifyPeer", "0"); 928 server = fact.createServer(d); 929 try 930 { 931 info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 932 test(info.certs.length == 4); 933 test(info.verified); 934 } 935 catch(Ice.LocalException ex) 936 { 937 ex.printStackTrace(); 938 test(false); 939 } 940 fact.destroyServer(server); 941 } 942 943 comm.destroy(); 944 945 // 946 // Increase VerifyDepthMax to 4 947 // 948 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_cai2", "cacert1"); 949 initData.properties.setProperty("IceSSL.VerifyPeer", "1"); 950 initData.properties.setProperty("IceSSL.VerifyDepthMax", "4"); 951 comm = Ice.Util.initialize(initData); 952 953 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 954 test(fact != null); 955 956 { 957 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai2", "cacert1"); 958 d.put("IceSSL.VerifyPeer", "2"); 959 server = fact.createServer(d); 960 try 961 { 962 server.ice_getConnection(); 963 test(false); 964 } 965 catch(Ice.ProtocolException ex) 966 { 967 // Expected 968 } 969 catch(Ice.ConnectionLostException ex) 970 { 971 // Expected 972 } 973 catch(Ice.LocalException ex) 974 { 975 ex.printStackTrace(); 976 test(false); 977 } 978 fact.destroyServer(server); 979 } 980 981 { 982 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_cai2", "cacert1"); 983 d.put("IceSSL.VerifyPeer", "2"); 984 d.put("IceSSL.VerifyDepthMax", "4"); 985 server = fact.createServer(d); 986 try 987 { 988 server.ice_getConnection(); 989 } 990 catch(Ice.LocalException ex) 991 { 992 ex.printStackTrace(); 993 test(false); 994 } 995 fact.destroyServer(server); 996 } 997 998 comm.destroy(); 999 } 1000 out.println("ok"); 1001 1002 out.print("testing custom certificate verifier... "); 1003 out.flush(); 1004 { 1005 // 1006 // Verify that a server certificate is present. 1007 // 1008 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1009 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1010 IceSSL.Plugin plugin = (IceSSL.Plugin)comm.getPluginManager().getPlugin("IceSSL"); 1011 test(plugin != null); 1012 CertificateVerifierI verifier = new CertificateVerifierI(); 1013 plugin.setCertificateVerifier(verifier); 1014 1015 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1016 test(fact != null); 1017 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1018 d.put("IceSSL.VerifyPeer", "2"); 1019 ServerPrx server = fact.createServer(d); 1020 try 1021 { 1022 server.ice_ping(); 1023 } 1024 catch(Ice.LocalException ex) 1025 { 1026 ex.printStackTrace(); 1027 test(false); 1028 } 1029 test(verifier.invoked()); 1030 test(verifier.hadCert()); 1031 fact.destroyServer(server); 1032 comm.destroy(); 1033 } 1034 { 1035 // 1036 // Verify that verifier is installed via property. 1037 // 1038 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1039 initData.properties.setProperty("IceSSL.CertVerifier", "test.IceSSL.configuration.CertificateVerifierI"); 1040 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1041 IceSSL.Plugin plugin = (IceSSL.Plugin)comm.getPluginManager().getPlugin("IceSSL"); 1042 test(plugin != null); 1043 test(plugin.getCertificateVerifier() != null); 1044 comm.destroy(); 1045 } 1046 out.println("ok"); 1047 1048 out.print("testing protocols... "); 1049 out.flush(); 1050 { 1051 // 1052 // This should fail because the client and server have no protocol 1053 // in common. 1054 // 1055 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1056 initData.properties.setProperty("IceSSL.Protocols", "ssl3"); 1057 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1058 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1059 test(fact != null); 1060 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1061 d.put("IceSSL.VerifyPeer", "2"); 1062 d.put("IceSSL.Protocols", "tls1"); 1063 ServerPrx server = fact.createServer(d); 1064 try 1065 { 1066 server.ice_ping(); 1067 test(false); 1068 } 1069 catch(Ice.SecurityException ex) 1070 { 1071 // Expected. 1072 } 1073 catch(Ice.ConnectionLostException ex) 1074 { 1075 // Expected for thread pool. 1076 } 1077 catch(Ice.LocalException ex) 1078 { 1079 ex.printStackTrace(); 1080 test(false); 1081 } 1082 fact.destroyServer(server); 1083 comm.destroy(); 1084 1085 // 1086 // SSLv3 has been disabled by default in latests JDK updates. 1087 // 1088 // // 1089 // // SSLv3 is disabled by default in the IBM JDK. 1090 // // 1091 // if(System.getProperty("java.vendor").toLowerCase().indexOf("ibm") == -1) 1092 // { 1093 // // 1094 // // This should succeed. 1095 // // 1096 // comm = Ice.Util.initialize(args, initData); 1097 // fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1098 // test(fact != null); 1099 // d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1100 // d.put("IceSSL.VerifyPeer", "2"); 1101 // d.put("IceSSL.Protocols", "tls1, ssl3"); 1102 // server = fact.createServer(d); 1103 // try 1104 // { 1105 // server.ice_ping(); 1106 // } 1107 // catch(Ice.LocalException ex) 1108 // { 1109 // ex.printStackTrace(); 1110 // test(false); 1111 // } 1112 // fact.destroyServer(server); 1113 // comm.destroy(); 1114 // } 1115 } 1116 1117 { 1118 // 1119 // This should fail because the client ony enables SSLv3 and the server 1120 // uses the default protocol set that disables SSLv3 1121 // 1122 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1123 initData.properties.setProperty("IceSSL.Protocols", "ssl3"); 1124 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1125 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1126 test(fact != null); 1127 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1128 d.put("IceSSL.VerifyPeer", "2"); 1129 ServerPrx server = fact.createServer(d); 1130 try 1131 { 1132 server.ice_ping(); 1133 test(false); 1134 } 1135 catch(Ice.SecurityException ex) 1136 { 1137 // Expected. 1138 } 1139 catch(Ice.ConnectionLostException ex) 1140 { 1141 // Expected for thread pool. 1142 } 1143 catch(Ice.LocalException ex) 1144 { 1145 ex.printStackTrace(); 1146 test(false); 1147 } 1148 fact.destroyServer(server); 1149 comm.destroy(); 1150 } 1151 1152 { 1153 // 1154 // This should success because the client and the server enables SSLv3 1155 // 1156 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1157 initData.properties.setProperty("IceSSL.Protocols", "ssl3"); 1158 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1159 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1160 test(fact != null); 1161 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1162 d.put("IceSSL.VerifyPeer", "2"); 1163 d.put("IceSSL.Protocols", "ssl3, tls1_0, tls1_1, tls1_2"); 1164 ServerPrx server = fact.createServer(d); 1165 try 1166 { 1167 server.ice_ping(); 1168 } 1169 catch(Ice.SecurityException ex) 1170 { 1171 // Expected. 1172 } 1173 catch(Ice.ConnectionLostException ex) 1174 { 1175 // Expected for thread pool. 1176 } 1177 catch(Ice.LocalException ex) 1178 { 1179 ex.printStackTrace(); 1180 test(false); 1181 } 1182 fact.destroyServer(server); 1183 comm.destroy(); 1184 } 1185 1186 out.println("ok"); 1187 1188 out.print("testing expired certificates... "); 1189 out.flush(); 1190 { 1191 // 1192 // This should fail because the server's certificate is expired. 1193 // 1194 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1195 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1196 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1197 test(fact != null); 1198 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1_exp", "cacert1"); 1199 d.put("IceSSL.VerifyPeer", "2"); 1200 ServerPrx server = fact.createServer(d); 1201 try 1202 { 1203 server.ice_ping(); 1204 test(false); 1205 } 1206 catch(Ice.SecurityException ex) 1207 { 1208 // Expected. 1209 } 1210 catch(Ice.LocalException ex) 1211 { 1212 ex.printStackTrace(); 1213 test(false); 1214 } 1215 fact.destroyServer(server); 1216 comm.destroy(); 1217 1218 // 1219 // This should fail because the client's certificate is expired. 1220 // 1221 initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1_exp.jks"); 1222 initData.properties.setProperty("IceSSL.Truststore", "cacert1.jks"); 1223 comm = Ice.Util.initialize(args, initData); 1224 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1225 test(fact != null); 1226 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1227 d.put("IceSSL.VerifyPeer", "2"); 1228 server = fact.createServer(d); 1229 try 1230 { 1231 server.ice_ping(); 1232 test(false); 1233 } 1234 catch(Ice.ConnectionLostException ex) 1235 { 1236 // Expected. 1237 } 1238 catch(Ice.SecurityException ex) 1239 { 1240 // Expected. 1241 } 1242 catch(Ice.LocalException ex) 1243 { 1244 ex.printStackTrace(); 1245 test(false); 1246 } 1247 fact.destroyServer(server); 1248 comm.destroy(); 1249 } 1250 out.println("ok"); 1251 1252 out.print("testing multiple CA certificates... "); 1253 out.flush(); 1254 { 1255 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacerts"); 1256 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1257 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1258 test(fact != null); 1259 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca2", "cacerts"); 1260 d.put("IceSSL.VerifyPeer", "2"); 1261 ServerPrx server = fact.createServer(d); 1262 try 1263 { 1264 server.ice_ping(); 1265 } 1266 catch(Ice.LocalException ex) 1267 { 1268 ex.printStackTrace(); 1269 test(false); 1270 } 1271 fact.destroyServer(server); 1272 comm.destroy(); 1273 } 1274 out.println("ok"); 1275 1276 out.print("testing passwords... "); 1277 out.flush(); 1278 { 1279 // 1280 // Test password failure. 1281 // 1282 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 1283 initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); 1284 // Don't specify the password. 1285 try 1286 { 1287 Ice.Util.initialize(args, initData); 1288 test(false); 1289 } 1290 catch(Ice.PluginInitializationException ex) 1291 { 1292 // Expected. 1293 } 1294 catch(Ice.LocalException ex) 1295 { 1296 ex.printStackTrace(); 1297 test(false); 1298 } 1299 } 1300 { 1301 // 1302 // Test password failure with callback. 1303 // 1304 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 1305 initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); 1306 initData.properties.setProperty("Ice.InitPlugins", "0"); 1307 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1308 Ice.PluginManager pm = comm.getPluginManager(); 1309 IceSSL.Plugin plugin = (IceSSL.Plugin)pm.getPlugin("IceSSL"); 1310 test(plugin != null); 1311 PasswordCallbackI cb = new PasswordCallbackI("bogus"); 1312 plugin.setPasswordCallback(cb); 1313 try 1314 { 1315 pm.initializePlugins(); 1316 test(false); 1317 } 1318 catch(Ice.PluginInitializationException ex) 1319 { 1320 // Expected. 1321 } 1322 catch(Ice.LocalException ex) 1323 { 1324 ex.printStackTrace(); 1325 test(false); 1326 } 1327 comm.destroy(); 1328 } 1329 { 1330 // 1331 // Test installation of password callback. 1332 // 1333 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 1334 initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); 1335 initData.properties.setProperty("Ice.InitPlugins", "0"); 1336 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1337 Ice.PluginManager pm = comm.getPluginManager(); 1338 IceSSL.Plugin plugin = (IceSSL.Plugin)pm.getPlugin("IceSSL"); 1339 test(plugin != null); 1340 PasswordCallbackI cb = new PasswordCallbackI(); 1341 plugin.setPasswordCallback(cb); 1342 test(plugin.getPasswordCallback() == cb); 1343 try 1344 { 1345 pm.initializePlugins(); 1346 } 1347 catch(Ice.LocalException ex) 1348 { 1349 ex.printStackTrace(); 1350 test(false); 1351 } 1352 comm.destroy(); 1353 } 1354 { 1355 // 1356 // Test password callback property. 1357 // 1358 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 1359 initData.properties.setProperty("IceSSL.Keystore", "c_rsa_ca1.jks"); 1360 initData.properties.setProperty("IceSSL.PasswordCallback", "test.IceSSL.configuration.PasswordCallbackI"); 1361 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1362 Ice.PluginManager pm = comm.getPluginManager(); 1363 IceSSL.Plugin plugin = (IceSSL.Plugin)pm.getPlugin("IceSSL"); 1364 test(plugin != null); 1365 test(plugin.getPasswordCallback() != null); 1366 comm.destroy(); 1367 } 1368 out.println("ok"); 1369 1370 out.print("testing ciphers... "); 1371 out.flush(); 1372 { 1373 // 1374 // Configure a server with RSA and DSA certificates. 1375 // 1376 // First try a client with a DSA certificate. 1377 // 1378 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_dsa_ca1", "cacert1"); 1379 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1380 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1381 test(fact != null); 1382 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1383 d.put("IceSSL.VerifyPeer", "1"); 1384 ServerPrx server = fact.createServer(d); 1385 try 1386 { 1387 server.ice_ping(); 1388 } 1389 catch(Ice.LocalException ex) 1390 { 1391 ex.printStackTrace(); 1392 test(false); 1393 } 1394 fact.destroyServer(server); 1395 comm.destroy(); 1396 1397 // 1398 // Next try a client with an RSA certificate. 1399 // 1400 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1401 comm = Ice.Util.initialize(args, initData); 1402 fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1403 test(fact != null); 1404 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1405 d.put("IceSSL.VerifyPeer", "1"); 1406 server = fact.createServer(d); 1407 try 1408 { 1409 server.ice_ping(); 1410 } 1411 catch(Ice.LocalException ex) 1412 { 1413 ex.printStackTrace(); 1414 test(false); 1415 } 1416 fact.destroyServer(server); 1417 comm.destroy(); 1418 } 1419 { 1420 // 1421 // Configure a server with RSA and a client with DSA. This should fail. 1422 // 1423 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_dsa_ca1", "cacert1"); 1424 initData.properties.setProperty("IceSSL.Ciphers", "NONE (.*DSS.*)"); 1425 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1426 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1427 test(fact != null); 1428 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_ca1", "cacert1"); 1429 d.put("IceSSL.VerifyPeer", "2"); 1430 ServerPrx server = fact.createServer(d); 1431 try 1432 { 1433 server.ice_ping(); 1434 test(false); 1435 } 1436 catch(Ice.SecurityException ex) 1437 { 1438 // Expected. 1439 } 1440 catch(Ice.ConnectionLostException ex) 1441 { 1442 // Expected for thread pool. 1443 } 1444 catch(Ice.LocalException ex) 1445 { 1446 ex.printStackTrace(); 1447 test(false); 1448 } 1449 fact.destroyServer(server); 1450 comm.destroy(); 1451 } 1452 { 1453 // 1454 // Configure the server with both RSA and DSA certificates, but use the 1455 // Alias property to select the RSA certificate. This should fail. 1456 // 1457 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_dsa_ca1", "cacert1"); 1458 initData.properties.setProperty("IceSSL.Ciphers", "NONE (.*DSS.*)"); 1459 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1460 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1461 test(fact != null); 1462 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1463 d.put("IceSSL.Alias", "rsacert"); 1464 d.put("IceSSL.VerifyPeer", "2"); 1465 ServerPrx server = fact.createServer(d); 1466 try 1467 { 1468 server.ice_ping(); 1469 test(false); 1470 } 1471 catch(Ice.SecurityException ex) 1472 { 1473 // Expected. 1474 } 1475 catch(Ice.ConnectionLostException ex) 1476 { 1477 // Expected for thread pool. 1478 } 1479 catch(Ice.LocalException ex) 1480 { 1481 ex.printStackTrace(); 1482 test(false); 1483 } 1484 fact.destroyServer(server); 1485 comm.destroy(); 1486 } 1487 { 1488 // 1489 // Configure the server with both RSA and DSA certificates, but use the 1490 // Alias property to select the DSA certificate. This should succeed. 1491 // 1492 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "cacert1", ""); 1493 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1494 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1495 test(fact != null); 1496 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1497 d.put("IceSSL.Alias", "dsacert"); 1498 d.put("IceSSL.VerifyPeer", "1"); 1499 // TLS 1.3 no longer supports DSA so disable TLS 1.3 for this test. 1500 d.put("IceSSL.Protocols", "ssl3, tls1_0, tls1_1, tls1_2"); 1501 ServerPrx server = fact.createServer(d); 1502 try 1503 { 1504 server.ice_ping(); 1505 // 1506 // RSA is used by default, so we examine the negotiated cipher to determine whether 1507 // DSA was actually used. 1508 // 1509 IceSSL.ConnectionInfo info = (IceSSL.ConnectionInfo)server.ice_getConnection().getInfo(); 1510 test(info.cipher.toLowerCase().contains("dss")); 1511 } 1512 catch(Ice.LocalException ex) 1513 { 1514 ex.printStackTrace(); 1515 test(false); 1516 } 1517 fact.destroyServer(server); 1518 comm.destroy(); 1519 } 1520 out.println("ok"); 1521 1522 out.print("testing IceSSL.TrustOnly... "); 1523 out.flush(); 1524 { 1525 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1526 initData.properties.setProperty("IceSSL.TrustOnly", 1527 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1528 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1529 1530 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1531 test(fact != null); 1532 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1533 ServerPrx server = fact.createServer(d); 1534 try 1535 { 1536 server.ice_ping(); 1537 } 1538 catch(Ice.LocalException ex) 1539 { 1540 ex.printStackTrace(); 1541 test(false); 1542 } 1543 fact.destroyServer(server); 1544 comm.destroy(); 1545 } 1546 { 1547 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1548 initData.properties.setProperty("IceSSL.TrustOnly", 1549 "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1550 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1551 1552 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1553 test(fact != null); 1554 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1555 ServerPrx server = fact.createServer(d); 1556 try 1557 { 1558 server.ice_ping(); 1559 test(false); 1560 } 1561 catch(Ice.LocalException ex) 1562 { 1563 } 1564 fact.destroyServer(server); 1565 comm.destroy(); 1566 } 1567 { 1568 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1569 initData.properties.setProperty("IceSSL.TrustOnly", 1570 "C=US, ST=Florida, O=\"ZeroC, Inc.\", OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1571 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1572 1573 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1574 test(fact != null); 1575 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1576 ServerPrx server = fact.createServer(d); 1577 try 1578 { 1579 server.ice_ping(); 1580 } 1581 catch(Ice.LocalException ex) 1582 { 1583 ex.printStackTrace(); 1584 test(false); 1585 } 1586 fact.destroyServer(server); 1587 comm.destroy(); 1588 } 1589 { 1590 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1591 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1592 1593 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1594 test(fact != null); 1595 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1596 d.put("IceSSL.TrustOnly", 1597 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 1598 ServerPrx server = fact.createServer(d); 1599 try 1600 { 1601 server.ice_ping(); 1602 } 1603 catch(Ice.LocalException ex) 1604 { 1605 ex.printStackTrace(); 1606 test(false); 1607 } 1608 fact.destroyServer(server); 1609 comm.destroy(); 1610 } 1611 { 1612 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1613 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1614 1615 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1616 test(fact != null); 1617 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1618 d.put("IceSSL.TrustOnly", 1619 "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 1620 ServerPrx server = fact.createServer(d); 1621 try 1622 { 1623 server.ice_ping(); 1624 test(false); 1625 } 1626 catch(Ice.LocalException ex) 1627 { 1628 } 1629 fact.destroyServer(server); 1630 comm.destroy(); 1631 } 1632 { 1633 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1634 initData.properties.setProperty("IceSSL.TrustOnly", "CN=Server"); 1635 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1636 1637 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1638 test(fact != null); 1639 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1640 ServerPrx server = fact.createServer(d); 1641 try 1642 { 1643 server.ice_ping(); 1644 } 1645 catch(Ice.LocalException ex) 1646 { 1647 ex.printStackTrace(); 1648 test(false); 1649 } 1650 fact.destroyServer(server); 1651 comm.destroy(); 1652 } 1653 { 1654 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1655 initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server"); 1656 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1657 1658 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1659 test(fact != null); 1660 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1661 ServerPrx server = fact.createServer(d); 1662 try 1663 { 1664 server.ice_ping(); 1665 test(false); 1666 } 1667 catch(Ice.LocalException ex) 1668 { 1669 } 1670 fact.destroyServer(server); 1671 comm.destroy(); 1672 } 1673 { 1674 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1675 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1676 1677 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1678 test(fact != null); 1679 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1680 d.put("IceSSL.TrustOnly", "CN=Client"); 1681 ServerPrx server = fact.createServer(d); 1682 try 1683 { 1684 server.ice_ping(); 1685 } 1686 catch(Ice.LocalException ex) 1687 { 1688 ex.printStackTrace(); 1689 test(false); 1690 } 1691 fact.destroyServer(server); 1692 comm.destroy(); 1693 } 1694 { 1695 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1696 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1697 1698 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1699 test(fact != null); 1700 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1701 d.put("IceSSL.TrustOnly", "!CN=Client"); 1702 ServerPrx server = fact.createServer(d); 1703 try 1704 { 1705 server.ice_ping(); 1706 test(false); 1707 } 1708 catch(Ice.LocalException ex) 1709 { 1710 } 1711 fact.destroyServer(server); 1712 comm.destroy(); 1713 } 1714 { 1715 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1716 initData.properties.setProperty("IceSSL.TrustOnly", "CN=Client"); 1717 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1718 1719 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1720 test(fact != null); 1721 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1722 ServerPrx server = fact.createServer(d); 1723 try 1724 { 1725 server.ice_ping(); 1726 test(false); 1727 } 1728 catch(Ice.LocalException ex) 1729 { 1730 } 1731 fact.destroyServer(server); 1732 comm.destroy(); 1733 } 1734 { 1735 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1736 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1737 1738 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1739 test(fact != null); 1740 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1741 d.put("IceSSL.TrustOnly", "CN=Server"); 1742 ServerPrx server = fact.createServer(d); 1743 try 1744 { 1745 server.ice_ping(); 1746 test(false); 1747 } 1748 catch(Ice.LocalException ex) 1749 { 1750 } 1751 fact.destroyServer(server); 1752 comm.destroy(); 1753 } 1754 { 1755 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1756 initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada,CN=Server"); 1757 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1758 1759 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1760 test(fact != null); 1761 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1762 ServerPrx server = fact.createServer(d); 1763 try 1764 { 1765 server.ice_ping(); 1766 test(false); 1767 } 1768 catch(Ice.LocalException ex) 1769 { 1770 } 1771 fact.destroyServer(server); 1772 comm.destroy(); 1773 } 1774 { 1775 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1776 initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada,CN=Server"); 1777 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1778 1779 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1780 test(fact != null); 1781 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1782 ServerPrx server = fact.createServer(d); 1783 try 1784 { 1785 server.ice_ping(); 1786 } 1787 catch(Ice.LocalException ex) 1788 { 1789 ex.printStackTrace(); 1790 test(false); 1791 } 1792 fact.destroyServer(server); 1793 comm.destroy(); 1794 } 1795 { 1796 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1797 initData.properties.setProperty("IceSSL.TrustOnly", "C=Canada;CN=Server"); 1798 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1799 1800 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1801 test(fact != null); 1802 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1803 ServerPrx server = fact.createServer(d); 1804 try 1805 { 1806 server.ice_ping(); 1807 } 1808 catch(Ice.LocalException ex) 1809 { 1810 ex.printStackTrace(); 1811 test(false); 1812 } 1813 fact.destroyServer(server); 1814 comm.destroy(); 1815 } 1816 { 1817 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1818 initData.properties.setProperty("IceSSL.TrustOnly", "!C=Canada;!CN=Server"); 1819 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1820 1821 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1822 test(fact != null); 1823 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1824 ServerPrx server = fact.createServer(d); 1825 try 1826 { 1827 server.ice_ping(); 1828 test(false); 1829 } 1830 catch(Ice.LocalException ex) 1831 { 1832 } 1833 fact.destroyServer(server); 1834 comm.destroy(); 1835 } 1836 { 1837 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1838 initData.properties.setProperty("IceSSL.TrustOnly", "!CN=Server1"); // Should not match "Server" 1839 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1840 1841 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1842 test(fact != null); 1843 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1844 ServerPrx server = fact.createServer(d); 1845 try 1846 { 1847 server.ice_ping(); 1848 } 1849 catch(Ice.LocalException ex) 1850 { 1851 ex.printStackTrace(); 1852 test(false); 1853 } 1854 fact.destroyServer(server); 1855 comm.destroy(); 1856 } 1857 { 1858 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1859 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1860 1861 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1862 test(fact != null); 1863 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1864 d.put("IceSSL.TrustOnly", "!CN=Client1"); // Should not match "Client" 1865 ServerPrx server = fact.createServer(d); 1866 try 1867 { 1868 server.ice_ping(); 1869 } 1870 catch(Ice.LocalException ex) 1871 { 1872 ex.printStackTrace(); 1873 test(false); 1874 } 1875 fact.destroyServer(server); 1876 comm.destroy(); 1877 } 1878 { 1879 // 1880 // Rejection takes precedence (client). 1881 // 1882 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1883 initData.properties.setProperty("IceSSL.TrustOnly", "ST=Florida;!CN=Server;C=US"); 1884 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1885 1886 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1887 test(fact != null); 1888 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1889 ServerPrx server = fact.createServer(d); 1890 try 1891 { 1892 server.ice_ping(); 1893 test(false); 1894 } 1895 catch(Ice.LocalException ex) 1896 { 1897 } 1898 fact.destroyServer(server); 1899 comm.destroy(); 1900 } 1901 { 1902 // 1903 // Rejection takes precedence (server). 1904 // 1905 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1906 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1907 1908 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1909 test(fact != null); 1910 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1911 d.put("IceSSL.TrustOnly", "ST=Florida;!CN=Client;C=US"); 1912 ServerPrx server = fact.createServer(d); 1913 try 1914 { 1915 server.ice_ping(); 1916 test(false); 1917 } 1918 catch(Ice.LocalException ex) 1919 { 1920 } 1921 fact.destroyServer(server); 1922 comm.destroy(); 1923 } 1924 out.println("ok"); 1925 1926 out.print("testing IceSSL.TrustOnly.Client... "); 1927 out.flush(); 1928 { 1929 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1930 initData.properties.setProperty("IceSSL.TrustOnly.Client", 1931 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1932 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1933 1934 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1935 test(fact != null); 1936 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1937 // Should have no effect. 1938 d.put("IceSSL.TrustOnly.Client", 1939 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1940 ServerPrx server = fact.createServer(d); 1941 try 1942 { 1943 server.ice_ping(); 1944 } 1945 catch(Ice.LocalException ex) 1946 { 1947 ex.printStackTrace(); 1948 test(false); 1949 } 1950 fact.destroyServer(server); 1951 comm.destroy(); 1952 } 1953 { 1954 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1955 initData.properties.setProperty("IceSSL.TrustOnly.Client", 1956 "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Server"); 1957 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1958 1959 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1960 test(fact != null); 1961 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1962 ServerPrx server = fact.createServer(d); 1963 try 1964 { 1965 server.ice_ping(); 1966 test(false); 1967 } 1968 catch(Ice.LocalException ex) 1969 { 1970 } 1971 fact.destroyServer(server); 1972 comm.destroy(); 1973 } 1974 { 1975 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1976 Ice.Communicator comm = Ice.Util.initialize(args, initData); 1977 1978 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 1979 test(fact != null); 1980 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 1981 // Should have no effect. 1982 d.put("IceSSL.TrustOnly.Client", "CN=Client"); 1983 ServerPrx server = fact.createServer(d); 1984 try 1985 { 1986 server.ice_ping(); 1987 } 1988 catch(Ice.LocalException ex) 1989 { 1990 ex.printStackTrace(); 1991 test(false); 1992 } 1993 fact.destroyServer(server); 1994 comm.destroy(); 1995 } 1996 { 1997 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 1998 initData.properties.setProperty("IceSSL.TrustOnly.Client", "CN=Client"); 1999 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2000 2001 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2002 test(fact != null); 2003 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2004 ServerPrx server = fact.createServer(d); 2005 try 2006 { 2007 server.ice_ping(); 2008 test(false); 2009 } 2010 catch(Ice.LocalException ex) 2011 { 2012 } 2013 fact.destroyServer(server); 2014 comm.destroy(); 2015 } 2016 { 2017 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2018 initData.properties.setProperty("IceSSL.TrustOnly.Client", "!CN=Client"); 2019 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2020 2021 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2022 test(fact != null); 2023 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2024 ServerPrx server = fact.createServer(d); 2025 try 2026 { 2027 server.ice_ping(); 2028 } 2029 catch(Ice.LocalException ex) 2030 { 2031 ex.printStackTrace(); 2032 test(false); 2033 } 2034 fact.destroyServer(server); 2035 comm.destroy(); 2036 } 2037 out.println("ok"); 2038 2039 out.print("testing IceSSL.TrustOnly.Server... "); 2040 out.flush(); 2041 { 2042 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2043 // Should have no effect. 2044 initData.properties.setProperty("IceSSL.TrustOnly.Server", 2045 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 2046 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2047 2048 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2049 test(fact != null); 2050 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2051 d.put("IceSSL.TrustOnly.Server", 2052 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 2053 ServerPrx server = fact.createServer(d); 2054 try 2055 { 2056 server.ice_ping(); 2057 } 2058 catch(Ice.LocalException ex) 2059 { 2060 ex.printStackTrace(); 2061 test(false); 2062 } 2063 fact.destroyServer(server); 2064 comm.destroy(); 2065 } 2066 { 2067 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2068 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2069 2070 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2071 test(fact != null); 2072 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2073 d.put("IceSSL.TrustOnly.Server", 2074 "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 2075 ServerPrx server = fact.createServer(d); 2076 try 2077 { 2078 server.ice_ping(); 2079 test(false); 2080 } 2081 catch(Ice.LocalException ex) 2082 { 2083 } 2084 fact.destroyServer(server); 2085 comm.destroy(); 2086 } 2087 { 2088 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2089 // Should have no effect. 2090 initData.properties.setProperty("IceSSL.TrustOnly.Server", "!CN=Server"); 2091 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2092 2093 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2094 test(fact != null); 2095 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2096 ServerPrx server = fact.createServer(d); 2097 try 2098 { 2099 server.ice_ping(); 2100 } 2101 catch(Ice.LocalException ex) 2102 { 2103 ex.printStackTrace(); 2104 test(false); 2105 } 2106 fact.destroyServer(server); 2107 comm.destroy(); 2108 } 2109 { 2110 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2111 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2112 2113 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2114 test(fact != null); 2115 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2116 d.put("IceSSL.TrustOnly.Server", "CN=Server"); 2117 ServerPrx server = fact.createServer(d); 2118 try 2119 { 2120 server.ice_ping(); 2121 test(false); 2122 } 2123 catch(Ice.LocalException ex) 2124 { 2125 } 2126 fact.destroyServer(server); 2127 comm.destroy(); 2128 } 2129 { 2130 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2131 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2132 2133 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2134 test(fact != null); 2135 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2136 d.put("IceSSL.TrustOnly.Server", "!CN=Client"); 2137 ServerPrx server = fact.createServer(d); 2138 try 2139 { 2140 server.ice_ping(); 2141 test(false); 2142 } 2143 catch(Ice.LocalException ex) 2144 { 2145 } 2146 fact.destroyServer(server); 2147 comm.destroy(); 2148 } 2149 out.println("ok"); 2150 2151 out.print("testing IceSSL.TrustOnly.Server.<AdapterName>... "); 2152 out.flush(); 2153 { 2154 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2155 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2156 2157 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2158 test(fact != null); 2159 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2160 d.put("IceSSL.TrustOnly.Server", "CN=bogus"); 2161 d.put("IceSSL.TrustOnly.Server.ServerAdapter", 2162 "C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 2163 ServerPrx server = fact.createServer(d); 2164 try 2165 { 2166 server.ice_ping(); 2167 } 2168 catch(Ice.LocalException ex) 2169 { 2170 ex.printStackTrace(); 2171 test(false); 2172 } 2173 fact.destroyServer(server); 2174 comm.destroy(); 2175 } 2176 { 2177 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2178 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2179 2180 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2181 test(fact != null); 2182 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2183 d.put("IceSSL.TrustOnly.Server.ServerAdapter", 2184 "!C=US, ST=Florida, O=ZeroC\\, Inc., OU=Ice, emailAddress=info@zeroc.com, CN=Client"); 2185 ServerPrx server = fact.createServer(d); 2186 try 2187 { 2188 server.ice_ping(); 2189 test(false); 2190 } 2191 catch(Ice.LocalException ex) 2192 { 2193 } 2194 fact.destroyServer(server); 2195 comm.destroy(); 2196 } 2197 { 2198 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2199 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2200 2201 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2202 test(fact != null); 2203 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2204 d.put("IceSSL.TrustOnly.Server.ServerAdapter", "CN=bogus"); 2205 ServerPrx server = fact.createServer(d); 2206 try 2207 { 2208 server.ice_ping(); 2209 test(false); 2210 } 2211 catch(Ice.LocalException ex) 2212 { 2213 } 2214 fact.destroyServer(server); 2215 comm.destroy(); 2216 } 2217 { 2218 initData = createClientProps(defaultProperties, defaultDir, defaultHost, "c_rsa_ca1", "cacert1"); 2219 Ice.Communicator comm = Ice.Util.initialize(args, initData); 2220 ServerFactoryPrx fact = ServerFactoryPrxHelper.checkedCast(comm.stringToProxy(factoryRef)); 2221 test(fact != null); 2222 d = createServerProps(defaultProperties, defaultDir, defaultHost, "s_rsa_dsa_ca1", "cacert1"); 2223 d.put("IceSSL.TrustOnly.Server.ServerAdapter", "!CN=bogus"); 2224 ServerPrx server = fact.createServer(d); 2225 try 2226 { 2227 server.ice_ping(); 2228 } 2229 catch(Ice.LocalException ex) 2230 { 2231 ex.printStackTrace(); 2232 test(false); 2233 } 2234 fact.destroyServer(server); 2235 comm.destroy(); 2236 } 2237 out.println("ok"); 2238 2239 out.print("testing system CAs... "); 2240 out.flush(); 2241 { 2242 // 2243 // Retry a few times in case there are connectivity problems with demo.zeroc.com. 2244 // 2245 final int retryMax = 5; 2246 final int retryDelay = 1000; 2247 int retryCount = 0; 2248 2249 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 2250 initData.properties.setProperty("IceSSL.VerifyDepthMax", "4"); 2251 initData.properties.setProperty("Ice.Override.Timeout", "5000"); // 5s timeout 2252 Ice.Communicator comm = Ice.Util.initialize(initData); 2253 Ice.ObjectPrx p = comm.stringToProxy("dummy:wss -h demo.zeroc.com -p 5064"); 2254 while(true) 2255 { 2256 try 2257 { 2258 p.ice_ping(); 2259 test(false); 2260 } 2261 catch(Ice.SecurityException ex) 2262 { 2263 // Expected, by default we don't check for system CAs. 2264 break; 2265 } 2266 catch(Ice.LocalException ex) 2267 { 2268 if((ex instanceof Ice.ConnectTimeoutException) || 2269 (ex instanceof Ice.SocketException) || 2270 (ex instanceof Ice.DNSException)) 2271 { 2272 if(++retryCount < retryMax) 2273 { 2274 out.print("retrying... "); 2275 out.flush(); 2276 try 2277 { 2278 Thread.sleep(retryDelay); 2279 } 2280 catch(InterruptedException e) 2281 { 2282 break; 2283 } 2284 continue; 2285 } 2286 } 2287 2288 out.print("warning: unable to connect to demo.zeroc.com to check system CA\n"); 2289 ex.printStackTrace(); 2290 break; 2291 } 2292 } 2293 comm.destroy(); 2294 2295 initData = createClientProps(defaultProperties, defaultDir, defaultHost); 2296 initData.properties.setProperty("IceSSL.VerifyDepthMax", "4"); 2297 initData.properties.setProperty("Ice.Override.Timeout", "5000"); // 5s timeout 2298 initData.properties.setProperty("IceSSL.UsePlatformCAs", "1"); 2299 comm = Ice.Util.initialize(initData); 2300 p = comm.stringToProxy("dummy:wss -h demo.zeroc.com -p 5064"); 2301 while(true) 2302 { 2303 try 2304 { 2305 Ice.WSConnectionInfo info = (Ice.WSConnectionInfo)p.ice_getConnection().getInfo(); 2306 IceSSL.ConnectionInfo sslinfo = (IceSSL.ConnectionInfo)info.underlying; 2307 test(sslinfo.verified); 2308 break; 2309 } 2310 catch(Ice.LocalException ex) 2311 { 2312 if((ex instanceof Ice.ConnectTimeoutException) || 2313 (ex instanceof Ice.SocketException) || 2314 (ex instanceof Ice.DNSException)) 2315 { 2316 if(++retryCount < retryMax) 2317 { 2318 out.print("retrying... "); 2319 out.flush(); 2320 try 2321 { 2322 Thread.sleep(retryDelay); 2323 } 2324 catch(InterruptedException e) 2325 { 2326 break; 2327 } 2328 continue; 2329 } 2330 } 2331 2332 out.print("warning: unable to connect to demo.zeroc.com to check system CA\n"); 2333 ex.printStackTrace(); 2334 break; 2335 } 2336 } 2337 comm.destroy(); 2338 } 2339 out.println("ok"); 2340 2341 return factory; 2342 } 2343 } 2344