From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 3/3] Add optional test case against badssl.com
badssl.com maintains a number of subdomains with valid and invalid TLS
configurations. A number of these test certificates which fail in
certain scenarios (revoked, expired, etc). Add a test runner which
validates SSLSocket's implementation against badssl.com.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++
1 file changed, 208 insertions(+)
create mode 100644 org/mozilla/jss/tests/BadSSL.java
diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java
new file mode 100644
index 00000000..60bfe820
--- /dev/null
+++ b/org/mozilla/jss/tests/BadSSL.java
@@ -0,0 +1,208 @@
+package org.mozilla.jss.tests;
+
+import org.mozilla.jss.CryptoManager;
+
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketException;
+
+import org.mozilla.jss.util.NativeErrcodes;
+
+/**
+ * The BadSSL test case maintains an internal mapping from badssl.com
+ * subdomains to expected exceptions and validates they occur.
+ *
+ * Since badssl.com offers no guaranteed SLA or availability, we likely
+ * shouldn't add this site to automated tests.
+ */
+
+public class BadSSL {
+ public static void main(String[] args) throws Exception {
+ boolean ocsp = false;
+
+ if (args.length < 1) {
+ System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]");
+ return;
+ }
+
+ if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) {
+ System.out.println("Enabling leaf and chain policy...");
+ ocsp = true;
+ }
+
+ CryptoManager.initialize(args[0]);
+ CryptoManager cm = CryptoManager.getInstance();
+
+ if (ocsp) {
+ cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN);
+ }
+
+
+ // Test cases which should fail due to various certificate errors.
+ testExpired();
+ testWrongHost();
+ testSelfSigned();
+ testUntrustedRoot();
+
+ // The following test cases depend on crypto-policies or local NSS
+ // configuration.
+ testSHA1();
+ testRC4MD5();
+ testRC4();
+ test3DES();
+ testNULL();
+
+ // The following test cases depend on OCSP being enabled.
+ if (ocsp) {
+ testRevoked();
+ }
+
+ // Test cases which should pass given the correct root certs.
+ testSHA256();
+ testSHA384();
+ testSHA512();
+
+ testECC256();
+ testECC384();
+
+ testRSA2048();
+ testRSA4096();
+ testRSA8192();
+
+ testExtendedValidation();
+ }
+
+ /* Test cases whose handshakes should fail below. */
+
+ public static void testExpired() throws Exception {
+ testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" });
+ }
+
+ public static void testWrongHost() throws Exception {
+ testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" });
+ }
+
+ public static void testSelfSigned() throws Exception {
+ testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" });
+ }
+
+ public static void testUntrustedRoot() throws Exception {
+ testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" });
+ }
+
+ public static void testRevoked() throws Exception {
+ testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" });
+ }
+
+ public static void testSHA1() throws Exception {
+ testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4MD5() throws Exception {
+ testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4() throws Exception {
+ testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void test3DES() throws Exception {
+ testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testNULL() throws Exception {
+ testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ /* Test cases which should handshake successfully below. */
+
+ public static void testSHA256() throws Exception {
+ testHelper("sha256.badssl.com", 443);
+ }
+
+ public static void testSHA384() throws Exception {
+ testHelper("sha384.badssl.com", 443);
+ }
+
+ public static void testSHA512() throws Exception {
+ testHelper("sha512.badssl.com", 443);
+ }
+
+ public static void testECC256() throws Exception {
+ testHelper("ecc256.badssl.com", 443);
+ }
+
+ public static void testECC384() throws Exception {
+ testHelper("ecc384.badssl.com", 443);
+ }
+
+ public static void testRSA2048() throws Exception {
+ testHelper("rsa2048.badssl.com", 443);
+ }
+
+ public static void testRSA4096() throws Exception {
+ testHelper("rsa4096.badssl.com", 443);
+ }
+
+ public static void testRSA8192() throws Exception {
+ testHelper("rsa8192.badssl.com", 443);
+ }
+
+ public static void testExtendedValidation() throws Exception {
+ testHelper("extended-validation.badssl.com", 443);
+ }
+
+ /* Test case helpers. */
+
+ public static void testHelper(String host, int port) throws Exception {
+ testSite(host, port);
+ System.out.println("\t...ok");
+ }
+
+ public static void testHelper(String host, int port, String[] substrs) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ String actual = sse.getMessage().toLowerCase();
+
+ for (String expected : substrs) {
+ if (actual.contains(expected.toLowerCase())) {
+ System.out.println("\t...got expected error message.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error message: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testHelper(String host, int port, int[] codes) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ int actual = sse.getErrcode();
+ for (int expected : codes) {
+ if (actual == expected) {
+ System.out.println("\t...got expected error code.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error code: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testSite(String host, int port) throws Exception {
+ System.out.println("Testing connection to " + host + ":" + port);
+ SSLSocket sock = new SSLSocket(host, 443);
+ sock.forceHandshake();
+ sock.shutdownOutput();
+ sock.shutdownInput();
+ sock.close();
+ }
+}
--
2.21.0