1 /*
2  * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.
8  *
9  * This code is distributed in the hope that it will be useful, but WITHOUT
10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12  * version 2 for more details (a copy is included in the LICENSE file that
13  * accompanied this code).
14  *
15  * You should have received a copy of the GNU General Public License version
16  * 2 along with this work; if not, write to the Free Software Foundation,
17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  *
19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20  * or visit www.oracle.com if you need additional information or have any
21  * questions.
22  */
23 
24 import java.io.IOException;
25 import java.security.NoSuchAlgorithmException;
26 import java.security.PrivilegedActionException;
27 import java.util.HashMap;
28 import java.util.Map;
29 import java.security.Security;
30 
31 import javax.security.auth.login.LoginException;
32 
33 /*
34  * @test
35  * @bug 8025123 8208350
36  * @summary Checks if an unbound server pick up a correct key from keytab
37  * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock UnboundSSLMultipleKeys
38  *                              unbound.ssl.jaas.conf server_star
39  * @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock UnboundSSLMultipleKeys
40  *                              unbound.ssl.jaas.conf server_multiple_principals
41  */
42 public class UnboundSSLMultipleKeys {
43 
main(String[] args)44     public static void main(String[] args)
45             throws IOException, NoSuchAlgorithmException, LoginException,
46             PrivilegedActionException, InterruptedException {
47         Security.setProperty("jdk.tls.disabledAlgorithms", "");
48         UnboundSSLMultipleKeys test = new UnboundSSLMultipleKeys();
49         test.start(args[0], args[1]);
50     }
51 
start(String jaacConfigFile, String serverJaasConfig)52     private void start(String jaacConfigFile, String serverJaasConfig)
53             throws IOException, NoSuchAlgorithmException, LoginException,
54             PrivilegedActionException, InterruptedException {
55 
56         // define service principals
57         String service1host = "service1." + UnboundSSLUtils.HOST;
58         String service2host = "service2." + UnboundSSLUtils.HOST;
59         String service3host = "service3." + UnboundSSLUtils.HOST;
60         String service1Principal = "host/" + service1host + "@"
61                 + UnboundSSLUtils.REALM;
62         String service2Principal = "host/" + service2host + "@"
63                 + UnboundSSLUtils.REALM;
64         String service3Principal = "host/" + service3host + "@"
65                 + UnboundSSLUtils.REALM;
66 
67         Map<String, String> principals = new HashMap<>();
68         principals.put(UnboundSSLUtils.USER_PRINCIPAL,
69                 UnboundSSLUtils.USER_PASSWORD);
70         principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, "pass");
71         principals.put(service1Principal, "pass0");
72         principals.put(service1Principal, "pass1");
73         principals.put(service1Principal, "pass2");
74         principals.put(service2Principal, "pass");
75         principals.put(service3Principal, "pass");
76 
77         System.setProperty("java.security.krb5.conf",
78                 UnboundSSLUtils.KRB5_CONF_FILENAME);
79 
80         /*
81          * Start a local KDC instance
82          *
83          * Keytab file contains 3 keys (with different KVNO) for service1
84          * principal, but password for only one key is the same with the record
85          * for service1 principal in KDC.
86          */
87         KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
88                 UnboundSSLUtils.REALM, principals,
89                 UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
90 
91         System.setProperty("java.security.auth.login.config",
92                 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
93         System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
94 
95         // start an SSL server instance
96         try (SSLEchoServer server = SSLEchoServer.init(
97                 UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) {
98 
99             UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig);
100 
101             //  wait for the server is ready
102             while (!server.isReady()) {
103                 Thread.sleep(UnboundSSLUtils.DELAY);
104             }
105 
106             // run a client
107             System.out.println("Successful connection is expected");
108             SSLClient.init(UnboundSSLUtils.HOST, server.getPort(),
109                     UnboundSSLUtils.TLS_KRB5_FILTER, service1host).connect();
110         }
111 
112         System.out.println("Test passed");
113     }
114 
115 }
116