am 11708986: am b00f46fc: am 23b3ea3a: am e496d90d: am cef32f3b: Merge "SSLEngine: Test that server params are verified" into jb-dev

* commit '11708986502da018afec813a9fd395b94003f160': SSLEngine: Test that server params are verified
author: Alex Klyubin <klyubin@google.com> 2013-11-14 12:01:30 -0800
committer: Android Git Automerger <android-git-automerger@android.com> 2013-11-14 12:01:30 -0800
commit: fe1f3d7795d9a5bdef327bd7796004bff5da7dbf (patch)
tree: b6fcb37b457db465ae13cf873f2d74732a06effb /luni/src
parent: 314c1f4630cc07691658aa2b0c7c71899b4a1eef (diff)
parent: 11708986502da018afec813a9fd395b94003f160 (diff)
download: libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.zip
libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.tar.gz
libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.tar.bz2
1 files changed, 39 insertions, 0 deletions
diff --git a/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java b/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
index 65d8690..a015d19 100644
--- a/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
+++ b/luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
@@ -16,7 +16,9 @@
 
 package libcore.javax.net.ssl;
 
+import java.io.IOException;
 import java.util.Arrays;
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
@@ -83,6 +85,20 @@ public class SSLEngineTest extends TestCase {
                                                                  boolean secureRenegotiation)
             throws Exception {
         TestSSLContext c = TestSSLContext.create(testKeyStore, testKeyStore);
+
+        // Create a TestSSLContext where the KeyManager returns wrong (randomly generated) private
+        // keys, matching the algorithm and parameters of the correct keys.
+        // I couldn't find a more elegant way to achieve this other than temporarily replacing the
+        // first element of TestKeyStore.keyManagers while invoking TestSSLContext.create.
+        TestSSLContext cWithWrongPrivateKeys;
+        {
+            KeyManager originalKeyManager = testKeyStore.keyManagers[0];
+            testKeyStore.keyManagers[0] =
+                    new RandomPrivateKeyX509ExtendedKeyManager(c.serverKeyManager);
+            cWithWrongPrivateKeys = TestSSLContext.create(testKeyStore, testKeyStore);
+            testKeyStore.keyManagers[0] = originalKeyManager;
+        }
+
         String[] cipherSuites = c.clientContext.createSSLEngine().getSupportedCipherSuites();
         for (String cipherSuite : cipherSuites) {
             boolean errorExpected = StandardNames.IS_RI && cipherSuite.endsWith("_SHA256");
@@ -109,6 +125,8 @@ public class SSLEngineTest extends TestCase {
                            ? new String[] { cipherSuite,
                                             StandardNames.CIPHER_SUITE_SECURE_RENEGOTIATION }
                            : new String[] { cipherSuite });
+
+                // Check that handshake succeeds.
                 assertConnected(TestSSLEnginePair.create(c, new TestSSLEnginePair.Hooks() {
                         @Override
                                 void beforeBeginHandshake(SSLEngine client, SSLEngine server) {
@@ -117,6 +135,27 @@ public class SSLEngineTest extends TestCase {
                         }
                     }));
                 assertFalse(errorExpected);
+
+                // Check that handshake fails when the server does not possess the private key
+                // corresponding to the server's certificate. This is achieved by using SSLContext
+                // cWithWrongPrivateKeys whose KeyManager returns wrong private keys that match
+                // the algorithm (and parameters) of the correct keys.
+                if (!cipherSuite.contains("_anon_")) {
+                    // The identity of the server is verified only in non-anonymous key exchanges.
+                    try {
+                        TestSSLEnginePair p = TestSSLEnginePair.create(
+                                cWithWrongPrivateKeys, new TestSSLEnginePair.Hooks() {
+                            @Override
+                                    void beforeBeginHandshake(SSLEngine client, SSLEngine server) {
+                                client.setEnabledCipherSuites(cipherSuiteArray);
+                                server.setEnabledCipherSuites(cipherSuiteArray);
+                            }
+                        });
+                        assertConnected(p);
+                        fail("Handshake succeeded for " + cipherSuite
+                                + " despite server not having the correct private key");
+                    } catch (IOException expected) {}
+                }
             } catch (Exception maybeExpected) {
                 if (!errorExpected) {
                     throw new Exception("Problem trying to connect cipher suite " + cipherSuite,
author	Alex Klyubin <klyubin@google.com>	2013-11-14 12:01:30 -0800
committer	Android Git Automerger <android-git-automerger@android.com>	2013-11-14 12:01:30 -0800
commit	fe1f3d7795d9a5bdef327bd7796004bff5da7dbf (patch)
tree	b6fcb37b457db465ae13cf873f2d74732a06effb /luni/src
parent	314c1f4630cc07691658aa2b0c7c71899b4a1eef (diff)
parent	11708986502da018afec813a9fd395b94003f160 (diff)
download	libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.zip libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.tar.gz libcore-fe1f3d7795d9a5bdef327bd7796004bff5da7dbf.tar.bz2