| 58af60a00935641f4669afc358593456944644ec |
29-Apr-2016 |
Kenny Root <kroot@google.com> |
SSLEngineTest: test multiple thread use
Use SSLEngine with multiple threads to make sure there are no issues.
Bug: 28473706
Change-Id: Ica180edff10d03fdf5e31621a901ad5575a762f3
estSSLEnginePair.java
|
| 9958d3c59c0b774238bf5a2e06758c11fbb702de |
04-Mar-2016 |
Kenny Root <kroot@google.com> |
SSLSocketTest: make endpoint verification tests not depend on DNS
Apparently 127.0.0.2 resolves to localhost in some places, so use a
serialization trick to write an arbitrary hostname into an
InetSocketAddress. This allows us to substitute any valid SNI hostname
during testing.
Bug: 27271561
Change-Id: If2351c424bc1f1193a42fe93a983948a19ae7ec2
estSSLContext.java
|
| 01b7734160977458d44d1fb179984fd91672f08d |
01-Feb-2016 |
Kenny Root <kroot@google.com> |
Add tests for SSL handshake session and endpoint verification
Partial revert of commit 36214feb86a0963b23f34c8c63584252bd757e19.
Change-Id: I731515bd180f1ea36abf4d8c1151a75254ad0c10
estSSLContext.java
estTrustManager.java
|
| 7c4f30cf50079df52bc4572688c7c9eed129a4bb |
07-Apr-2015 |
Sergio Giro <sgiro@google.com> |
libcore: change SSLEngineTest to close SSLEngine instances
It was leaking resources allocated by SSLEngine's, pipes among others,
thus causing subsequent tests to fail with "too many open files"
errors. In OpenSSLEngineImpl, the resources are freed in the finalizer,
so there's no guarantee that resources as pipes will ever be freed
unless the engines are explicitly closed.
Change-Id: Ide90808a64278486a19bcdfcba628f623c62afc9
estSSLEnginePair.java
|
| 946d9a0b59d1a615278ad52518fa588407dfebd2 |
07-Jan-2015 |
Kenny Root <kroot@google.com> |
SSLEngineTest: position should be same as produced/consumed
The position of the buffer should match the number of bytes produced or
consumed. Make sure all the tests have this condition on the handshake.
Bug: 18921387
Change-Id: I8d248b2ac189d801586510fb5aca2e3bd6701ffe
estSSLEnginePair.java
|
| 4e1404f2017dc7db05b69ecad241f78c5bb1a4ee |
21-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Assert finite default timeout for TLS/SSL sessions.
This makes CTS tests expect 8 hours as the default timeout for TLS/SSL
sessions. Prior to this change, sessions were expected to not time out
by default.
Bug: 18370076
Change-Id: I09ae9ee91df2fb4bb2e8cc812127dc9f05a14696
estSSLContext.java
|
| 782740701db73dd2dc4fef9df8cde270b0e631a4 |
18-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Fix SSLContextTest.test_SSLContext_defaultConfiguration failure
This test was failing because it assumed that all SSLContext
instances have the same set of TLS protocol versions enabled.
The fix refactored SSLDefaultConfigurationAsserts class into
SSLConfigurationAsserts class. The main difference is that the new
class has wider scope: it can assert that (1) the default
configuration of TLS/SSL primitives is as expected -- exactly what
the old SSLDefaultConfigurationAsserts class offered, and (2) that
TLS/SSL primitives are configured the same as a provided SSLContext.
Assertions about the default configuration of primitives other than
SSLContext are now implemented by asserting that these primitives are
configured exactly like the default SSLContext.
Change-Id: I52d6514768c4053054df2cf79e7182d8fd87bfe2
SLConfigurationAsserts.java
SLDefaultConfigurationAsserts.java
|
| 36214feb86a0963b23f34c8c63584252bd757e19 |
17-Jun-2014 |
Brian Carlstrom <bdc@google.com> |
Remove
Change-Id: I143d0b26b116e75892223e74b6c22b6c8db05466
estSSLContext.java
estTrustManager.java
|
| 4352ab40ce104520bfb6588ad8eef386866ff190 |
29-May-2014 |
Alex Klyubin <klyubin@google.com> |
Merge "Document and assert support for TLS-PSK cipher suites."
|
| c9461f39290f815f560f2ec50e9ccde5ff4eb8f7 |
09-May-2014 |
Alex Klyubin <klyubin@google.com> |
Document and assert support for TLS-PSK cipher suites.
This CL updates the Javadoc of SSLSocket and SSLEngine to list the
now supported TLS-PSK cipher suites. It also adds tests to assert
that these cipher suites are actually supported by SSLSocket and
SSLEngine.
Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
estSSLContext.java
|
| 2c8bbf4bb24657c4e71de66fd0e66ad6baad4cf5 |
23-May-2014 |
Alex Klyubin <klyubin@google.com> |
Simplify assertions about SSLEngine.
Now that the default SSLEngine implementation is backed by the same
OpenSSL stack as the default SSLSocket implementation, the sets of
supported/enabled cipher suites and protocols should remain the same
between SSLEngine and SSLSocket.
Change-Id: I1ed88f39b07950e5d8b6e2fc7d6482a034626de3
SLDefaultConfigurationAsserts.java
|
| a368cef707903c2adc7868ba48a95ccdac5f7625 |
22-Apr-2014 |
Kenny Root <kroot@google.com> |
Fix SSLEngineTest for RI
The assymmetry between client and server with create sessions seems
strange. It seems like a bug in the RI, so make sure Android does the
right thing.
Change-Id: I7b7ab501bd1963757b7f067c6ace8230a19a3e53
estSSLEnginePair.java
|
| 727df1258e3b8386afea4778626c9ab16ef467d6 |
09-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for OpenSSL
Our new OpenSSL-based SSLEngine supports all the new stuff and no longer
fails tests.
Change-Id: I7db8e5134ca36ebd963c7081cd7ba79d91b3e5e2
estSSLEnginePair.java
|
| 3ad1704dc8e4653f4ceaeb5d8315ddb28318a1bb |
02-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for RI
The RI now supports TLSv1.2 with SSLEngine, so update all the
expectations for their tests. It also appears to disable "weak"
algorithms when you select TLSv1.2.
Change-Id: I564283bb4945d3b71bee0f89c93c6dd6e238b4f8
andomPrivateKeyX509ExtendedKeyManager.java
estSSLContext.java
estSSLEnginePair.java
|
| 70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70 |
20-Mar-2014 |
Kenny Root <kroot@google.com> |
Add X509ExtendedTrustManager
This adds the X509ExtendedTrustManager class and all its ancillary
methods that allow it to be used. This allows the
endpointVerificationAlgorithm setting to be enabled on SSLSocket to
check that the cerificate given for the endpoint during the handshake
matched the expected hostname.
Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there
is a new call added to SSLSocket called getHandshakeSession which does
not force the handshake to take place.
Bug: 13103812
Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
estSSLContext.java
estTrustManager.java
|
| edeec21a9c9e97cad91dffd47d4f2f7185dffe07 |
19-Mar-2014 |
Alex Klyubin <klyubin@google.com> |
Support multiple KeyManagers in TestSSLContext and TestKeyStore.
The two classes in some places assumed that only one KeyManager is
necessary or that only the first provided KeyManager is important.
Change-Id: I88629778911503ac7c233341d44612247d799d22
estSSLContext.java
|
| 2cca77af136c57106bd9a1652e54a0ee99154d89 |
14-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Remove HarmonyJSSE SSLContext, SSLSocket and SSLServerSocket.
Change-Id: I3c939e9275ba8f1d00342d1f83c6fdaf110f2317
estSSLContext.java
|
| f6fb19ad30b1f0e55e9c1efda39fcaf319837bb5 |
14-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
resolved conflicts for merge of 8629cea4 to klp-dev-plus-aosp
Change-Id: Ibd80c5f1a8b7b2fb7b4e77c40e5a0499effff6aa
|
| 0669a8cf8b08b2d66a7ff758e5e3dbd456855495 |
14-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
SSLEngine: Test that server params are verified
This CL adds tests that check that SSLEngine's handshake fails if the
signature of server params in ServerKeyExchange does not verify.
Bug: 11631299
Change-Id: I16dfa9c07a4f094adc17aadd6fb3fe9eac88103b
orwardingX509ExtendedKeyManager.java
andomPrivateKeyX509ExtendedKeyManager.java
|
| f605c6822da13b32cd3643415a707882b62a3e91 |
06-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Higher-level default configuration asserts for TLS/SSL primitives.
This adds SSLDefaultConfigurationAsserts class that offers
higher-level checks for each TLS/SSL primitive. The goals are:
* check not only the cipher suites and protocols configured but also
the configuration of child primitives (e.g, configuration of
SSLSockets returned by SSLSocketFactory, or configuration of
SSLSocketFactory returned by SSLContext).
* hide the upcoming target API level dependent configuration checks
from test classes.
Bug: 11220570
Change-Id: Iec1476a1b2d132c984413754129adfcb671885fb
SLDefaultConfigurationAsserts.java
|
| 547450702efd233213f953ba2213bb38803c34c3 |
09-Jun-2011 |
Jesse Wilson <jessewilson@google.com> |
Use the same host name in the SSL cert as in mockwebserver.
MockWebServer had to revert to getLocalHost() since 'getLoopbackAddress()
doesn't exist on Java 6 and MockWebServer wants to work on Java 6.
Tested on host and device without problem.
Change-Id: Ib083ec393d34b2378da579ffc7b6a71d599f9d22
estSSLContext.java
|
| 3258b52429c7768ea91bda93c5a15257cdd390e5 |
18-Mar-2011 |
Brian Carlstrom <bdc@google.com> |
libcore key chain support
Allow access to default IndexedPKIXParameters, similar to access to
default TrustManager. Needed to allow framework to add/remove trusted
CAs at runtime.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Add test support for looking up a cert by an issuer for use in key chain tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
Add test support SSLSocketFactory that sets desired client auth on
each created socket. For use with MockWebServer for key chain testing.
support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java
Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564
estSSLContext.java
|
| 3a3511edad46420b4287017ac66fe4783cb804db |
11-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Move tests from java.injected into libcore.
Change-Id: Ia3fee27c8f8ca38120eea3fc2582d3e1b2504cea
akeSSLSession.java
|
| 4ae3fd787741bfe1b808f447dcb0785250024119 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl
Summary:
- Enable Elliptic Crypto support for OpenSSL based SSLSocket instances
- More RI compliant usage of key types, client auth types, and server auth types
- Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates
Details:
Elliptic Curve changes
CipherSuite updates for EC
- Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated
isAnonymous, getKeyType (now renamed getServerKeyType) to handle
new EC cases. Added new getAuthType for use by
checkServerTrusted callers.
- Restructured code to handle two SUITES_BY_CODE_* arrays
- Remove KEY_EXCHANGE_DH_* definitions which unused because the
corresponding CipherSuites were previously disabled.
- Changed AES CipherSuites definitions to use "_CBC" to match other definitions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
openssl EC
- NativeCrypto now registers TLS_EC_* cipher suites and has update default list
- Improved auth type arguments to checkClientTrusted/checkServerTrusted
- NativeCrypto support for emphemeral EC keys
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/NativeCrypto.cpp
non-openssl SSL/TLS cleanups
- cleanup around code trying to cope with DiffieHellman vs DH since either should work.
- changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation
- changed server to use CipherSuite.getKeyType
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Consolidate CertificateRequestType code into CipherSuite so that its
shared between java and openssl implementations. This includes the
KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String
keyType(byte)' (now renamed getClientKeyType) code that depends on them.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Tests
Differentiate between supported list of cipher suites openssl-based
SSLSocket and SSLEngine based, since the SSLEngine code does not support EC.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
Added testing for expected default cipher suites. Before we just ensured the values were valid.
luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Updated to handle new EC cipher suites codes. Added test for new getClientKeyType.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Better use of "standard names" particularly to correctly deal with
the subtle differences between key types, client auth types, and
server auth types. TestKeyManager and TestTrustManager now verify
the values they are passed are acceptable.
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Changed to timeout after 30 seconds and to log to reveal both client and server issues.
support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java
Bug: 3058375
Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
estKeyManager.java
estSSLSocketPair.java
estTrustManager.java
|
| 6c78b7b94c232063ec559436b48b33751373ecf1 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support
Summary:
- javax.net.ssl tests are now working on the RI
- KeyManager can now handle EC_EC and EC_RSA
- OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates
Details:
Add CipherSuite.getKeyType to provide X509KeyManager key type strings,
refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites.
getKeyType is now also used in OpenSSLSocketImpl.startHandshake to
avoid calling setCertificate for unnecessary key types.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
New CipherSuiteTest to cover new getKeyType as well as existing functionality
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Add support to KeyManager implementation for key types of the form
EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in
these new key types) with a potentially different signature algorithm
(EC vs RSA in these)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to
EC which was added earlier. Change from array of KEY_TYPES to named
KEY_TYPE_* constants.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Changed TestKeyStore.createKeyStore from always using BKS to now use
JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS
requires a password, we now default "password" on the RI.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java
support/src/test/java/libcore/java/security/StandardNames.java
TestKeyStore.create now accepts key types like EC_RSA. Changed
TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for
signing to enable creation of EC_RSA test certificate. Added
getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry
for signing. Changed TestKeyStore.getPrivateKey to take explicit
signature algorithm to retrieve EC_EC vs EC_RSA entries.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added support for EC cipher suites on the RI. Also test with and
without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is
used to specify the new TLS secure renegotiation.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
New TestKeyManager and additional logging in TestTrustManager. Logging
in both is disabled by default using DevNullPrintStream.
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
support/src/test/java/libcore/java/io/DevNullPrintStream.java
Bug: 3058375
Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
estKeyManager.java
estTrustManager.java
|
| 8a720cceee7ce319d647738dfeda3f302879f370 |
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements
Revert to older behavior of creating TrustAnchors from both
PrivateKeyEntry and TrustedCertificateEntry values from the
KeyStore. Added tests to better ensure this slighlt different
behavior from PKIXParameters. Also create the acceptedIssuers
proactively since the real memory cost is the X509Certificates
which are already found in the params.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
Don't just free native state on issue with startHandshake, close
the SSLSocket. While the former addressed a CloseGuard issue, the
latter make sure that checkOpen throws SocketExceptions and we don't
leak a NullPointerException from NativeCrypto.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Debugging improvements including minor refinements to recently
added NativeCrypto logging, more verbose TestKeyStore.dump output,
and a new TestTrustManager proxy class for logging X509TrustManager
behavior.
luni/src/main/native/NativeCrypto.cpp
support/src/test/java/libcore/java/security/TestKeyStore.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Change-Id: I317e1ca34d8e20c77e5cb9c5a5a58cb4ae98d829
estTrustManager.java
|
| f7aab022dcbfcd8f27b409ab92b4bca4a84d0b8a |
30-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
CloseGuard: finalizers for closeable objects should log complaints
Introducing CloseGuard which warns when resources are implictly
cleaned up by finalizers when an explicit termination method, to use
the Effective Java "Issue 7: Avoid finalizers" terminology, should
have been used by the caller.
libcore classes that can use CloseGuard now do so.
Bug: 3041575
Change-Id: I4a4e3554addaf3075c823feb0a0ff0ad1c1f6196
estSSLContext.java
estSSLSessions.java
estSSLSocketPair.java
|
| 4557728efb66c455a52b7669a8eefef7a9e54854 |
11-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Moving tests to be under the libcore.* package.
This is indended to make it easier to run on VMs that restrict the packages
from which application classes can be loaded. For example, on the RI you need
to use the bootclasspath to load these tests.
Change-Id: I52193f35c5fcca18b5a3e1d280505b1e29b388af
estSSLContext.java
estSSLEnginePair.java
estSSLSessions.java
estSSLSocketPair.java
|