| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.tomcat.util.net.jsse.openssl; |
| |
| import java.util.List; |
| |
| import org.junit.Assert; |
| import org.junit.Ignore; |
| import org.junit.Test; |
| |
| public class TestOpenSSLCipherConfigurationParser { |
| |
| @Test |
| public void testDEFAULT() throws Exception { |
| if (TesterOpenSSL.VERSION < 10100) { |
| // Account for classes of ciphers removed from DEFAULT in 1.1.0 |
| testSpecification("DEFAULT:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES"); |
| } else { |
| testSpecification("DEFAULT"); |
| } |
| } |
| |
| |
| @Test |
| public void testCOMPLEMENTOFDEFAULT() throws Exception { |
| if (TesterOpenSSL.VERSION < 10100) { |
| // Account for classes of ciphers removed from DEFAULT in 1.1.0 |
| testSpecification("COMPLEMENTOFDEFAULT:RC4:DSS:SEED:IDEA:CAMELLIA:AESCCM:aNULL:3DES"); |
| } else { |
| testSpecification("COMPLEMENTOFDEFAULT"); |
| } |
| } |
| |
| |
| @Test |
| public void testALL() throws Exception { |
| testSpecification("ALL"); |
| } |
| |
| |
| @Test |
| public void testCOMPLEMENTOFALL() throws Exception { |
| testSpecification("COMPLEMENTOFALL"); |
| } |
| |
| |
| @Test |
| public void testaNULL() throws Exception { |
| testSpecification("aNULL"); |
| } |
| |
| |
| @Test |
| public void testeNULL() throws Exception { |
| testSpecification("eNULL"); |
| } |
| |
| |
| @Test |
| public void testHIGH() throws Exception { |
| testSpecification("HIGH"); |
| } |
| |
| |
| @Test |
| public void testMEDIUM() throws Exception { |
| testSpecification("MEDIUM"); |
| } |
| |
| |
| @Test |
| public void testLOW() throws Exception { |
| testSpecification("LOW"); |
| } |
| |
| |
| @Test |
| public void testEXPORT40() throws Exception { |
| testSpecification("EXPORT40"); |
| } |
| |
| |
| @Test |
| public void testEXPORT() throws Exception { |
| testSpecification("EXPORT"); |
| } |
| |
| |
| @Test |
| public void testRSA() throws Exception { |
| testSpecification("RSA"); |
| } |
| |
| |
| @Test |
| public void testaRSA() throws Exception { |
| testSpecification("aRSA"); |
| } |
| |
| |
| @Test |
| public void testkRSA() throws Exception { |
| testSpecification("kRSA"); |
| } |
| |
| |
| @Test |
| public void testkEDH() throws Exception { |
| testSpecification("kEDH"); |
| } |
| |
| |
| @Test |
| public void testkDHE() throws Exception { |
| // This alias was introduced in 1.0.2 |
| if (TesterOpenSSL.VERSION >= 10002) { |
| testSpecification("kDHE"); |
| } |
| } |
| |
| |
| @Test |
| public void testEDH() throws Exception { |
| testSpecification("EDH"); |
| } |
| |
| |
| @Test |
| public void testDHE() throws Exception { |
| // This alias was introduced in 1.0.2 |
| if (TesterOpenSSL.VERSION >= 10002) { |
| testSpecification("DHE"); |
| } |
| } |
| |
| |
| @Test |
| public void testkDHr() throws Exception { |
| testSpecification("kDHr"); |
| } |
| |
| |
| @Test |
| public void testkDHd() throws Exception { |
| testSpecification("kDHd"); |
| } |
| |
| |
| @Test |
| public void testkDH() throws Exception { |
| testSpecification("kDH"); |
| } |
| |
| |
| @Test |
| public void testkECDHr() throws Exception { |
| testSpecification("kECDHr"); |
| } |
| |
| |
| @Test |
| public void testkECDHe() throws Exception { |
| testSpecification("kECDHe"); |
| } |
| |
| |
| @Test |
| public void testkECDH() throws Exception { |
| testSpecification("kECDH"); |
| } |
| |
| |
| @Test |
| public void testkEECDH() throws Exception { |
| testSpecification("kEECDH"); |
| } |
| |
| |
| @Test |
| public void testECDH() throws Exception { |
| testSpecification("ECDH"); |
| } |
| |
| |
| @Test |
| public void testkECDHE() throws Exception { |
| testSpecification("kECDHE"); |
| } |
| |
| |
| @Test |
| public void testECDHE() throws Exception { |
| testSpecification("ECDHE"); |
| } |
| |
| |
| @Test |
| @Ignore("Contrary to the docs, OpenSSL does not recognise EECDHE") |
| public void testEECDHE() throws Exception { |
| testSpecification("EECDHE"); |
| } |
| |
| |
| @Test |
| public void testAECDH() throws Exception { |
| testSpecification("AECDH"); |
| } |
| |
| |
| @Test |
| public void testDSS() throws Exception { |
| testSpecification("DSS"); |
| } |
| |
| |
| @Test |
| public void testaDSS() throws Exception { |
| testSpecification("aDSS"); |
| } |
| |
| |
| @Test |
| public void testaDH() throws Exception { |
| testSpecification("aDH"); |
| } |
| |
| |
| @Test |
| public void testaECDH() throws Exception { |
| testSpecification("aECDH"); |
| } |
| |
| |
| @Test |
| public void testaECDSA() throws Exception { |
| testSpecification("aECDSA"); |
| } |
| |
| |
| @Test |
| public void testECDSA() throws Exception { |
| testSpecification("ECDSA"); |
| } |
| |
| |
| @Test |
| public void testkFZA() throws Exception { |
| testSpecification("kFZA"); |
| } |
| |
| |
| @Test |
| public void testaFZA() throws Exception { |
| testSpecification("aFZA"); |
| } |
| |
| |
| @Test |
| public void testeFZA() throws Exception { |
| testSpecification("eFZA"); |
| } |
| |
| |
| @Test |
| public void testFZA() throws Exception { |
| testSpecification("FZA"); |
| } |
| |
| |
| @Test |
| public void testTLSv1_2() throws Exception { |
| testSpecification("TLSv1.2"); |
| } |
| |
| |
| @Test |
| public void testTLSv1() throws Exception { |
| // In OpenSSL 1.1.0-dev, TLSv1 refers to those ciphers that require |
| // TLSv1 rather than being an alias for SSLv3 |
| if (TesterOpenSSL.VERSION >= 10100) { |
| testSpecification("TLSv1"); |
| } |
| } |
| |
| |
| @Test |
| public void testSSLv2() throws Exception { |
| testSpecification("SSLv2"); |
| } |
| |
| |
| @Test |
| public void testSSLv3() throws Exception { |
| testSpecification("SSLv3"); |
| } |
| |
| |
| @Test |
| public void testDH() throws Exception { |
| testSpecification("DH"); |
| } |
| |
| |
| @Test |
| public void testADH() throws Exception { |
| testSpecification("ADH"); |
| } |
| |
| |
| @Test |
| public void testAES128() throws Exception { |
| testSpecification("AES128"); |
| } |
| |
| |
| @Test |
| public void testAES256() throws Exception { |
| testSpecification("AES256"); |
| } |
| |
| |
| @Test |
| public void testAES() throws Exception { |
| testSpecification("AES"); |
| } |
| |
| |
| @Test |
| public void testAESGCM() throws Exception { |
| testSpecification("AESGCM"); |
| } |
| |
| |
| @Test |
| public void testAESCCM() throws Exception { |
| testSpecification("AESCCM"); |
| } |
| |
| |
| @Test |
| public void testAESCCM8() throws Exception { |
| testSpecification("AESCCM8"); |
| } |
| |
| |
| @Test |
| public void testCAMELLIA128() throws Exception { |
| testSpecification("CAMELLIA128"); |
| } |
| |
| |
| @Test |
| public void testCAMELLIA256() throws Exception { |
| testSpecification("CAMELLIA256"); |
| } |
| |
| |
| @Test |
| public void testCAMELLIA() throws Exception { |
| testSpecification("CAMELLIA"); |
| } |
| |
| |
| @Test |
| public void testCHACHA20() throws Exception { |
| testSpecification("CHACHA20"); |
| } |
| |
| |
| @Test |
| public void test3DES() throws Exception { |
| testSpecification("3DES"); |
| } |
| |
| |
| @Test |
| public void testDES() throws Exception { |
| testSpecification("DES"); |
| } |
| |
| |
| @Test |
| public void testRC4() throws Exception { |
| testSpecification("RC4"); |
| } |
| |
| |
| @Test |
| public void testRC2() throws Exception { |
| testSpecification("RC2"); |
| } |
| |
| |
| @Test |
| public void testIDEA() throws Exception { |
| testSpecification("IDEA"); |
| } |
| |
| |
| @Test |
| public void testSEED() throws Exception { |
| testSpecification("SEED"); |
| } |
| |
| |
| @Test |
| public void testMD5() throws Exception { |
| testSpecification("MD5"); |
| } |
| |
| |
| @Test |
| public void testSHA1() throws Exception { |
| testSpecification("SHA1"); |
| } |
| |
| |
| @Test |
| public void testSHA() throws Exception { |
| testSpecification("SHA"); |
| } |
| |
| |
| @Test |
| public void testSHA256() throws Exception { |
| testSpecification("SHA256"); |
| } |
| |
| |
| @Test |
| public void testSHA384() throws Exception { |
| testSpecification("SHA384"); |
| } |
| |
| |
| @Test |
| public void testKRB5() throws Exception { |
| testSpecification("KRB5"); |
| } |
| |
| |
| @Test |
| public void testaGOST() throws Exception { |
| testSpecification("aGOST"); |
| } |
| |
| |
| @Test |
| public void testaGOST01() throws Exception { |
| testSpecification("aGOST01"); |
| } |
| |
| |
| @Test |
| public void testaGOST94() throws Exception { |
| testSpecification("aGOST94"); |
| } |
| |
| |
| @Test |
| public void testkGOST() throws Exception { |
| testSpecification("kGOST"); |
| } |
| |
| |
| @Test |
| public void testGOST94() throws Exception { |
| testSpecification("GOST94"); |
| } |
| |
| |
| @Test |
| public void testGOST89MAC() throws Exception { |
| testSpecification("GOST89MAC"); |
| } |
| |
| |
| @Test |
| public void testaPSK() throws Exception { |
| testSpecification("aPSK"); |
| } |
| |
| |
| @Test |
| public void testkPSK() throws Exception { |
| testSpecification("kPSK"); |
| } |
| |
| |
| @Test |
| public void testkRSAPSK() throws Exception { |
| testSpecification("kRSAPSK"); |
| } |
| |
| |
| @Test |
| public void testkECDHEPSK() throws Exception { |
| testSpecification("kECDHEPSK"); |
| } |
| |
| |
| @Test |
| public void testkDHEPSK() throws Exception { |
| testSpecification("kDHEPSK"); |
| } |
| |
| |
| @Test |
| public void testPSK() throws Exception { |
| testSpecification("PSK"); |
| } |
| |
| |
| // TODO: Add tests for the individual operators |
| |
| @Test |
| public void testSpecification01() throws Exception { |
| // Tomcat 8 default as of 2014-08-04 |
| // This gets an A- from https://www.ssllabs.com/ssltest with no FS for |
| // a number of the reference browsers |
| testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); |
| } |
| |
| |
| @Test |
| public void testSpecification02() throws Exception { |
| // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/ |
| testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM"); |
| } |
| |
| |
| @Test |
| public void testSpecification03() throws Exception { |
| // Reported as failing during 8.0.11 release vote by Ognjen Blagojevic |
| // EDH was introduced in 1.0.0 |
| testSpecification("EECDH+aRSA+SHA384:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"); |
| } |
| |
| private void testSpecification(String specification) throws Exception { |
| // Filter out cipher suites that OpenSSL does not implement |
| String openSSLCipherList = TesterOpenSSL.getOpenSSLCiphersAsExpression(specification); |
| List<String> jsseCipherListFromOpenSSL = |
| OpenSSLCipherConfigurationParser.parseExpression(openSSLCipherList); |
| List<String> jsseCipherListFromParser = |
| OpenSSLCipherConfigurationParser.parseExpression(specification); |
| |
| TesterOpenSSL.removeUnimplementedCiphersJsse(jsseCipherListFromParser); |
| |
| // First check the lists have the same entries |
| // Order is NOT important at this point. It is checked below. |
| Assert.assertEquals(jsseCipherListFromOpenSSL.size(), jsseCipherListFromParser.size()); |
| Assert.assertTrue(jsseCipherListFromOpenSSL.containsAll(jsseCipherListFromParser)); |
| |
| // OpenSSL treats many ciphers as having equal preference. The order |
| // returned depends on the order they are requested. The following code |
| // checks that the Parser produces a cipher list that is consistent with |
| // OpenSSL's preference order by confirming that running through OpenSSL |
| // does not change the order. |
| String parserOrderedExpression = listToString(jsseCipherListFromParser, ','); |
| Assert.assertEquals( |
| listToString(OpenSSLCipherConfigurationParser.parseExpression( |
| parserOrderedExpression), ','), |
| parserOrderedExpression); |
| } |
| |
| |
| private String listToString(List<String> list, char separator) { |
| StringBuilder sb = new StringBuilder(); |
| boolean first = true; |
| for (String entry : list) { |
| if (first) { |
| first = false; |
| } else { |
| sb.append(separator); |
| } |
| sb.append(entry); |
| } |
| return sb.toString(); |
| } |
| } |