/hg/icedtea7-forest/jdk: 2 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Fri Apr 3 17:51:32 UTC 2015
changeset e7690bee9a77 in /hg/icedtea7-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea7-forest/jdk?cmd=changeset;node=e7690bee9a77
author: xuelei
date: Fri Apr 03 18:26:32 2015 +0100
6956398, PR2250: make ephemeral DH key match the length of the certificate key
Reviewed-by: weijun
changeset 25ae097ee625 in /hg/icedtea7-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea7-forest/jdk?cmd=changeset;node=25ae097ee625
author: andrew
date: Fri Apr 03 17:19:21 2015 +0100
PR2250: JSSE server is still limited to 768-bit DHE
Summary: Alter 6956398 so that legacy mode is default and 1024-bit keys come with "jdk8" mode.
diffstat:
src/share/classes/sun/security/ssl/ServerHandshaker.java | 217 ++++-
test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java | 477 ++++++++++
2 files changed, 684 insertions(+), 10 deletions(-)
diffs (truncated from 750 to 500 lines):
diff -r bf4c2a6c354d -r 25ae097ee625 src/share/classes/sun/security/ssl/ServerHandshaker.java
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 16:52:05 2015 +0100
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 17:19:21 2015 +0100
@@ -40,6 +40,8 @@
import javax.security.auth.Subject;
+import sun.security.util.KeyUtil;
+import sun.security.action.GetPropertyAction;
import sun.security.ssl.HandshakeMessage.*;
import sun.security.ssl.CipherSuite.*;
import sun.security.ssl.SignatureAndHashAlgorithm.*;
@@ -94,6 +96,50 @@
// the preferable signature algorithm used by ServerKeyExchange message
SignatureAndHashAlgorithm preferableSignatureAlgorithm;
+ // Flag to use smart ephemeral DH key which size matches the corresponding
+ // authentication key
+ private static final boolean useSmartEphemeralDHKeys;
+
+ // Flag to use legacy ephemeral DH key which size is 512 bits for
+ // exportable cipher suites, and 768 bits for others
+ private static final boolean useLegacyEphemeralDHKeys;
+
+ // The customized ephemeral DH key size for non-exportable cipher suites.
+ private static final int customizedDHKeySize;
+
+ static {
+ String property = AccessController.doPrivileged(
+ new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
+ if (property == null || property.length() == 0) {
+ useLegacyEphemeralDHKeys = true;
+ useSmartEphemeralDHKeys = false;
+ customizedDHKeySize = -1;
+ } else if ("matched".equals(property)) {
+ useLegacyEphemeralDHKeys = false;
+ useSmartEphemeralDHKeys = true;
+ customizedDHKeySize = -1;
+ } else if ("jdk8".equals(property)) {
+ useLegacyEphemeralDHKeys = false;
+ useSmartEphemeralDHKeys = false;
+ customizedDHKeySize = -1;
+ } else {
+ useLegacyEphemeralDHKeys = false;
+ useSmartEphemeralDHKeys = false;
+
+ try {
+ customizedDHKeySize = parseUnsignedInt(property);
+ if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
+ throw new IllegalArgumentException(
+ "Customized DH key size should be positive integer " +
+ "between 1024 and 2048 bits, inclusive");
+ }
+ } catch (NumberFormatException nfe) {
+ throw new IllegalArgumentException(
+ "Invalid system property jdk.tls.ephemeralDHKeySize");
+ }
+ }
+ }
+
/*
* Constructor ... use the keys found in the auth context.
*/
@@ -1048,7 +1094,7 @@
}
}
- setupEphemeralDHKeys(suite.exportable);
+ setupEphemeralDHKeys(suite.exportable, privateKey);
break;
case K_ECDHE_RSA:
// need RSA certs for authentication
@@ -1085,7 +1131,8 @@
if (setupPrivateKeyAndChain("DSA") == false) {
return false;
}
- setupEphemeralDHKeys(suite.exportable);
+
+ setupEphemeralDHKeys(suite.exportable, privateKey);
break;
case K_ECDHE_ECDSA:
// get preferable peer signature algorithm for server key exchange
@@ -1129,7 +1176,7 @@
break;
case K_DH_ANON:
// no certs needed for anonymous
- setupEphemeralDHKeys(suite.exportable);
+ setupEphemeralDHKeys(suite.exportable, null);
break;
case K_ECDH_ANON:
// no certs needed for anonymous
@@ -1178,15 +1225,69 @@
* Acquire some "ephemeral" Diffie-Hellman keys for this handshake.
* We don't reuse these, for improved forward secrecy.
*/
- private void setupEphemeralDHKeys(boolean export) {
+ private void setupEphemeralDHKeys(boolean export, Key key) {
/*
- * Diffie-Hellman keys ... we use 768 bit private keys due
- * to the "use twice as many key bits as bits you want secret"
- * rule of thumb, assuming we want the same size premaster
- * secret with Diffie-Hellman and RSA key exchanges. Except
- * that exportable ciphers max out at 512 bits modulus values.
+ * 768 bits ephemeral DH private keys were used to be used in
+ * ServerKeyExchange except that exportable ciphers max out at 512
+ * bits modulus values. We still adhere to this behavior in legacy
+ * mode (system property "jdk.tls.ephemeralDHKeySize"
+ * is not defined).
+ *
+ * New JDK (JDK 8 and later) releases use a 1024 bit DH key for
+ * non-exportable cipher suites in default mode and this can
+ * be enabled when the system property "jdk.tls.ephemeralDHKeySize"
+ * is defined as "jdk8".
+ *
+ * However, if applications want more stronger strength, setting
+ * system property "jdk.tls.ephemeralDHKeySize" to "matched"
+ * is a workaround to use ephemeral DH key which size matches the
+ * corresponding authentication key. For example, if the public key
+ * size of an authentication certificate is 2048 bits, then the
+ * ephemeral DH key size should be 2048 bits accordingly unless
+ * the cipher suite is exportable. This key sizing scheme keeps
+ * the cryptographic strength consistent between authentication
+ * keys and key-exchange keys.
+ *
+ * Applications may also want to customize the ephemeral DH key size
+ * to a fixed length for non-exportable cipher suites. This can be
+ * approached by setting system property "jdk.tls.ephemeralDHKeySize"
+ * to a valid positive integer between 1024 and 2048 bits, inclusive.
+ *
+ * Note that the minimum acceptable key size is 1024 bits except
+ * exportable cipher suites or legacy mode.
+ *
+ * Note that the maximum acceptable key size is 2048 bits because
+ * DH keys bigger than 2048 are not always supported by underlying
+ * JCE providers.
+ *
+ * Note that per RFC 2246, the key size limit of DH is 512 bits for
+ * exportable cipher suites. Because of the weakness, exportable
+ * cipher suites are deprecated since TLS v1.1 and they are not
+ * enabled by default in Oracle provider. The legacy behavior is
+ * reserved and 512 bits DH key is always used for exportable
+ * cipher suites.
*/
- dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom());
+ int keySize = export ? 512 : 1024; // default mode
+ if (!export) {
+ if (useLegacyEphemeralDHKeys) { // legacy mode
+ keySize = 768;
+ } else if (useSmartEphemeralDHKeys) { // matched mode
+ if (key != null) {
+ int ks = KeyUtil.getKeySize(key);
+ // Note that SunJCE provider only supports 2048 bits DH
+ // keys bigger than 1024. Please DON'T use value other
+ // than 1024 and 2048 at present. We may improve the
+ // underlying providers and key size here in the future.
+ //
+ // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
+ keySize = ks <= 1024 ? 1024 : 2048;
+ } // Otherwise, anonymous cipher suites, 1024-bit is used.
+ } else if (customizedDHKeySize > 0) { // customized mode
+ keySize = customizedDHKeySize;
+ }
+ }
+
+ dh = new DHCrypt(keySize, sslContext.getSecureRandom());
}
// Setup the ephemeral ECDH parameters.
@@ -1686,4 +1787,100 @@
session.setPeerCertificates(peerCerts);
}
+
+ /**
+ * Parses the string argument as an unsigned integer in the radix
+ * specified by the second argument. An unsigned integer maps the
+ * values usually associated with negative numbers to positive
+ * numbers larger than {@code MAX_VALUE}.
+ *
+ * The characters in the string must all be digits of the
+ * specified radix (as determined by whether {@link
+ * java.lang.Character#digit(char, int)} returns a nonnegative
+ * value), except that the first character may be an ASCII plus
+ * sign {@code '+'} (<code>'\u002B'</code>). The resulting
+ * integer value is returned.
+ *
+ * <p>An exception of type {@code NumberFormatException} is
+ * thrown if any of the following situations occurs:
+ * <ul>
+ * <li>The first argument is {@code null} or is a string of
+ * length zero.
+ *
+ * <li>The radix is either smaller than
+ * {@link java.lang.Character#MIN_RADIX} or
+ * larger than {@link java.lang.Character#MAX_RADIX}.
+ *
+ * <li>Any character of the string is not a digit of the specified
+ * radix, except that the first character may be a plus sign
+ * {@code '+'} (<code>'\u002B'</code>) provided that the
+ * string is longer than length 1.
+ *
+ * <li>The value represented by the string is larger than the
+ * largest unsigned {@code int}, 2<sup>32</sup>-1.
+ *
+ * </ul>
+ *
+ *
+ * @param s the {@code String} containing the unsigned integer
+ * representation to be parsed
+ * @param radix the radix to be used while parsing {@code s}.
+ * @return the integer represented by the string argument in the
+ * specified radix.
+ * @throws NumberFormatException if the {@code String}
+ * does not contain a parsable {@code int}.
+ * @since 1.8
+ */
+ private static int parseUnsignedInt(String s, int radix)
+ throws NumberFormatException {
+ if (s == null) {
+ throw new NumberFormatException("null");
+ }
+
+ int len = s.length();
+ if (len > 0) {
+ char firstChar = s.charAt(0);
+ if (firstChar == '-') {
+ throw new
+ NumberFormatException(String.format("Illegal leading minus sign " +
+ "on unsigned string %s.", s));
+ } else {
+ if (len <= 5 || // Integer.MAX_VALUE in Character.MAX_RADIX is 6 digits
+ (radix == 10 && len <= 9) ) { // Integer.MAX_VALUE in base 10 is 10 digits
+ return Integer.parseInt(s, radix);
+ } else {
+ long ell = Long.parseLong(s, radix);
+ if ((ell & 0xffff_ffff_0000_0000L) == 0) {
+ return (int) ell;
+ } else {
+ throw new
+ NumberFormatException(String.format("String value %s exceeds " +
+ "range of unsigned int.", s));
+ }
+ }
+ }
+ } else {
+ throw new NumberFormatException("For input string: \"" + s + "\"");
+ }
+ }
+
+ /**
+ * Parses the string argument as an unsigned decimal integer. The
+ * characters in the string must all be decimal digits, except
+ * that the first character may be an an ASCII plus sign {@code
+ * '+'} (<code>'\u002B'</code>). The resulting integer value
+ * is returned, exactly as if the argument and the radix 10 were
+ * given as arguments to the {@link
+ * #parseUnsignedInt(java.lang.String, int)} method.
+ *
+ * @param s a {@code String} containing the unsigned {@code int}
+ * representation to be parsed
+ * @return the unsigned integer value represented by the argument in decimal.
+ * @throws NumberFormatException if the string does not contain a
+ * parsable unsigned integer.
+ * @since 1.8
+ */
+ private static int parseUnsignedInt(String s) throws NumberFormatException {
+ return parseUnsignedInt(s, 10);
+ }
}
diff -r bf4c2a6c354d -r 25ae097ee625 test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java Fri Apr 03 17:19:21 2015 +0100
@@ -0,0 +1,477 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 6956398
+ * @summary make ephemeral DH key match the length of the certificate key
+ * @run main/othervm
+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75
+ *
+ * @run main/othervm
+ * DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 292 75
+ *
+ * @run main/othervm
+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1510 139
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1414 107
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1894 267
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1510 139
+ *
+ * @run main/othervm
+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy
+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 388 107
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched
+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139
+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024
+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139
+ */
+
+/*
+ * This is a simple hack to test key sizes of Diffie-Hellman key exchanging
+ * during SSL/TLS handshaking.
+ *
+ * The record length of DH ServerKeyExchange and ClientKeyExchange.
+ * ServerKeyExchange message are wrapped in ServerHello series messages, which
+ * contains ServerHello, Certificate and ServerKeyExchange message.
+ *
+ * struct {
+ * opaque dh_p<1..2^16-1>;
+ * opaque dh_g<1..2^16-1>;
+ * opaque dh_Ys<1..2^16-1>;
+ * } ServerDHParams; // Ephemeral DH parameters
+ *
+ * struct {
+ * select (PublicValueEncoding) {
+ * case implicit: struct { };
+ * case explicit: opaque dh_Yc<1..2^16-1>;
+ * } dh_public;
+ * } ClientDiffieHellmanPublic;
+ *
+ * Fomr above structures, it is clear that if the DH key size increasing 128
+ * bits (16 bytes), the ServerHello series messages increases 48 bytes
+ * (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange
+ * increases 16 bytes (because of the size increasing of dh_Yc).
+ *
+ * Here is a summary of the record length in the test case.
+ *
+ * | ServerHello Series | ClientKeyExchange | ServerHello Anon
+ * 512-bit | 1318 bytes | 75 bytes | 292 bytes
+ * 768-bit | 1414 bytes | 107 bytes | 388 bytes
+ * 1024-bit | 1510 bytes | 139 bytes | 484 bytes
+ * 2048-bit | 1894 bytes | 267 bytes | 484 bytes
+ */
+
+import javax.net.ssl.*;
+import javax.net.ssl.SSLEngineResult.*;
+import java.io.*;
+import java.nio.*;
+import java.security.KeyStore;
+import java.security.KeyFactory;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.util.Base64;
+
+public class DHEKeySizing {
+
+ private static boolean debug = true;
+
+ private SSLContext sslc;
+ private SSLEngine ssle1; // client
+ private SSLEngine ssle2; // server
+
+ private ByteBuffer appOut1; // write side of ssle1
+ private ByteBuffer appIn1; // read side of ssle1
+ private ByteBuffer appOut2; // write side of ssle2
+ private ByteBuffer appIn2; // read side of ssle2
+
+ private ByteBuffer oneToTwo; // "reliable" transport ssle1->ssle2
+ private ByteBuffer twoToOne; // "reliable" transport ssle2->ssle1
+
+ /*
+ * Where do we find the keystores?
+ */
+ // Certificates and key used in the test.
+ static String trustedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIIC8jCCAdqgAwIBAgIEUjkuRzANBgkqhkiG9w0BAQUFADA7MR0wGwYDVQQLExRT\n" +
+ "dW5KU1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMw\n" +
+ "HhcNMTMwOTE4MDQzODMxWhcNMTMxMjE3MDQzODMxWjA7MR0wGwYDVQQLExRTdW5K\n" +
+ "U1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMwggEi\n" +
+ "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCO+IGeaskJAvEcYc7pCl9neK3E\n" +
+ "a28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0LKXArpI3thLNK\n" +
+ "QLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO19FbjxAfInJqk\n" +
+ "3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ7MrIOqHPd+8r\n" +
+ "RbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTkM65T1hnnOv5n\n" +
+ "ZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+PqPgWNl3+/AgMB\n" +
+ "AAEwDQYJKoZIhvcNAQEFBQADggEBAAlrP6DFLRPSy0IgQhcI2i56tR/na8pezSte\n" +
+ "ZHcCdaCZPDy4UP8mpLJ9QCjEB5VJv8hPm4xdK7ULnKGOGHgYqDpV2ZHvQlhV1woQ\n" +
+ "TZGb/LM3c6kAs0j4j9KM2fq3iYUYexjIkS1KzsziflxMM6igS9BRMBR2LQyU+cYq\n" +
+ "YEsFzkF7Aj2ET4v/+tgot9mRr2NioJcaJkdsPDpMU3IKB1cczfu+OuLQ/GCG0Fqu\n" +
+ "6ijCeCqfnaAbemHbJeVZZ6Qgka3uC2YMntLBmLkhqEo1d9zGYLoh7oWL77y5ibQZ\n" +
+ "LK5/H/zikcu579TWjlDHcqL3arCwBcrtsjSaPrRSWMrWV/6c0qw=\n" +
+ "-----END CERTIFICATE-----";
+
+ // Private key in the format of PKCS#8
+ static String targetPrivateKey =
+ "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO+IGeaskJAvEc\n" +
+ "Yc7pCl9neK3Ea28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0L\n" +
+ "KXArpI3thLNKQLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO1\n" +
+ "9FbjxAfInJqk3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ\n" +
+ "7MrIOqHPd+8rRbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTk\n" +
+ "M65T1hnnOv5nZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+Pq\n" +
+ "PgWNl3+/AgMBAAECggEAPdb5Ycc4m4A9QBSCRcRpzbyiFLKPh0HDg1n65q4hOtYr\n" +
+ "kAVYTVFTSF/lqGS+Ob3w2YIKujQKSUQrvCc5UHdFuHXMgxKIWbymK0+DAMb9SlYw\n" +
+ "6lkkcWp9gx9E4dnJ/df2SAAxovvrKMuHlL1SFASHhVtPfH2URvSfUaANLDXxyYOs\n" +
+ "8BX0Nr6wazhWjLjXo9yIGnKSvFfB8XisYcA78kEgas43zhmIGCDPqaYyyffOfRbx\n" +
+ "pM1KNwGmlN86iWR1CbwA/wwhcMySWQueS+s7cHbpRqZIYJF9jEeELiwi0vxjealS\n" +
+ "EMuHYedIRFMWaDIq9XyjrvXamHb0Z25jlXBNZHaM0QKBgQDE9adl+zAezR/n79vw\n" +
+ "0XiX2Fx1UEo3ApZHuoA2Q/PcBk+rlKqqQ3IwTcy6Wo648wK7v6Nq7w5nEWcsf0dU\n" +
+ "QA2Ng/AJEev/IfF34x7sKGYxtk1gcE0EuSBA3R+ocEZxnNw1Ryd5nUU24s8d4jCP\n" +
+ "Mkothnyaim+zE2raDlEtVc0CaQKBgQC509av+02Uq5oMjzbQp5PBJfQFjATOQT15\n" +
+ "eefYnVYurkQ1kcVfixkrO2ORhg4SjmI2Z5hJDgGtXdwgidpzkad+R2epS5qLMyno\n" +
+ "lQVpY6bMpEZ7Mos0yQygxnm8uNohEcTExOe+nP5fNJVpzBsGmfeyYOhnPQlf6oqf\n" +
+ "0cHizedb5wKBgQC/l5LyMil6HOGHlhzmIm3jj7VI7QR0hJC5T6N+phVml8ESUDjA\n" +
+ "DYHbmSKouISTRtkG14FY+RiSjCxH7bvuKazFV2289PETquogTA/9e8MFYqfcQwG4\n" +
+ "sXi9gBxWlnj/9a2EKiYtOB5nKLR/BlNkSHA93tAA6N+FXEMZwMmYhxk42QKBgAuY\n" +
+ "HQgD3PZOsqDf+qKQIhbmAFCsSMx5o5VFtuJ8BpmJA/Z3ruHkMuDQpsi4nX4o5hXQ\n" +
+ "5t6AAjjH52kcUMXvK40kdWJJtk3DFnVNfvXxYsHX6hHbuHXFqYUKfSP6QJnZmvZP\n" +
+ "9smcz/4usLfWJUWHK740b6upUkFqx9Vq5/b3s9y3AoGAdM5TW7LkkOFsdMGVAUzR\n" +
+ "9iXmCWElHTK2Pcp/3yqDBHSfiQx6Yp5ANyPnE9NBM0yauCfOyBB2oxLO4Rdv3Rqk\n" +
+ "9V9kyR/YAGr7dJaPcQ7pZX0OpkzgueAOJYPrx5VUzPYUtklYV1ycFZTfKlpFCxT+\n" +
+ "Ei6KUo0NXSdUIcB4yib1J10=";
+
+ static char passphrase[] = "passphrase".toCharArray();
+
+ /*
+ * Majority of the test case is here, setup is done below.
+ */
+
+ private void createSSLEngines() throws Exception {
+ ssle1 = sslc.createSSLEngine("client", 1);
+ ssle1.setUseClientMode(true);
+
+ ssle2 = sslc.createSSLEngine("server", 2);
+ ssle2.setUseClientMode(false);
+ }
+
+ private boolean isHandshaking(SSLEngine e) {
+ return (e.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING);
+ }
+
+ private void checkResult(ByteBuffer bbIn, ByteBuffer bbOut,
+ SSLEngineResult result,
+ Status status, HandshakeStatus hsStatus,
+ int consumed, int produced)
+ throws Exception {
+
+ if ((status != null) && (result.getStatus() != status)) {
+ throw new Exception("Unexpected Status: need = " + status +
+ " got = " + result.getStatus());
+ }
+
+ if ((hsStatus != null) && (result.getHandshakeStatus() != hsStatus)) {
+ throw new Exception("Unexpected hsStatus: need = " + hsStatus +
+ " got = " + result.getHandshakeStatus());
+ }
+
+ if ((consumed != -1) && (consumed != result.bytesConsumed())) {
+ throw new Exception("Unexpected consumed: need = " + consumed +
+ " got = " + result.bytesConsumed());
+ }
+
+ if ((produced != -1) && (produced != result.bytesProduced())) {
+ throw new Exception("Unexpected produced: need = " + produced +
+ " got = " + result.bytesProduced());
+ }
+
+ if ((consumed != -1) && (bbIn.position() != result.bytesConsumed())) {
+ throw new Exception("Consumed " + bbIn.position() +
+ " != " + consumed);
More information about the distro-pkg-dev
mailing list