8311644: Server should not send bad_certificate alert when the client does not send any certificates

Backport-of: f62b5789add23adda2634a1cfb80f48b4387be74

Author: GoeLin

src/java.base/share/classes/sun/security/ssl/Alert.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -123,13 +123,13 @@ SSLException createSSLException(String reason, Throwable cause) {
         }
 
         if (cause instanceof IOException) {
-            return new SSLException(reason, cause);
+            return new SSLException("(" + description + ") " + reason, cause);
         } else if ((this == UNEXPECTED_MESSAGE)) {
-            return new SSLProtocolException(reason, cause);
+            return new SSLProtocolException("(" + description + ") " + reason, cause);
         } else if (handshakeOnly) {
-            return new SSLHandshakeException(reason, cause);
+            return new SSLHandshakeException("(" + description + ") " + reason, cause);
         } else {
-            return new SSLException(reason, cause);
+            return new SSLException("(" + description + ") " + reason, cause);
         }
     }
 

src/java.base/share/classes/sun/security/ssl/CertificateMessage.java

@@ -381,7 +381,7 @@ private void onCertificate(ServerHandshakeContext shc,
                 if (shc.sslConfig.clientAuthType !=
                         ClientAuthType.CLIENT_AUTH_REQUESTED) {
                     // unexpected or require client authentication
-                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Empty client certificate chain");
                 } else {
                     return;
@@ -1163,7 +1163,7 @@ private void onConsumeCertificate(ServerHandshakeContext shc,
                 shc.handshakeConsumers.remove(
                         SSLHandshake.CERTIFICATE_VERIFY.id);
                 if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
-                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.CERTIFICATE_REQUIRED,
                         "Empty client certificate chain");
                 } else {
                     // optional client authentication
@@ -1187,7 +1187,7 @@ private void onConsumeCertificate(ClientHandshakeContext chc,
                 T13CertificateMessage certificateMessage )throws IOException {
             if (certificateMessage.certEntries == null ||
                     certificateMessage.certEntries.isEmpty()) {
-                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.DECODE_ERROR,
                     "Empty server certificate chain");
             }
 

test/jdk/javax/net/ssl/SSLSession/CertMsgCheck.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @library /javax/net/ssl/templates
+ * @bug 8311644
+ * @summary Verify CertificateMessage alerts are correct to the TLS specs
+ * @run main/othervm -Djdk.tls.client.protocols=TLSv1.2 CertMsgCheck handshake_failure
+ * @run main/othervm -Djdk.tls.client.protocols=TLSv1.3 CertMsgCheck certificate_required
+ *
+ */
+
+public class CertMsgCheck {
+
+    public static void main(String[] args) throws Exception {
+        // Start server
+        TLSBase.Server server = new TLSBase.ServerBuilder().setClientAuth(true).
+            build();
+
+        // Initial client session
+        TLSBase.Client client1 = new TLSBase.Client(true, false);
+        if (server.getSession(client1).getSessionContext() == null) {
+            for (Exception e : server.getExceptionList()) {
+                System.out.println("Looking at " + e.getClass() + " " +
+                    e.getMessage());
+                if (e.getMessage().contains(args[0])) {
+                    System.out.println("Found correct exception: " + args[0] +
+                    " in " + e.getMessage());
+                    return;
+                } else {
+                    System.out.println("No \"" + args[0] + "\" found.");
+                }
+            }
+
+            throw new Exception("Failed to find expected alert: " + args[0]);
+        }
+    }
+}

test/jdk/javax/net/ssl/SSLSession/CheckSessionContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,36 +36,30 @@
  */
 
 import javax.net.ssl.SSLSession;
+import java.util.HexFormat;
 
 public class CheckSessionContext {
 
-    static void toHex(byte[] id) {
-        for (byte b : id) {
-            System.out.printf("%02X ", b);
-        }
-        System.out.println();
-    }
+    static HexFormat hex = HexFormat.of();
 
     public static void main(String[] args) throws Exception {
         TLSBase.Server server = new TLSBase.Server();
 
         // Initial client session
         TLSBase.Client client1 = new TLSBase.Client();
         if (server.getSession(client1).getSessionContext() == null) {
-            throw new Exception("Context was null");
+            throw new Exception("Context was null.  Handshake failure.");
         } else {
             System.out.println("Context was found");
         }
         SSLSession ss = server.getSession(client1);
         System.out.println(ss);
         byte[] id = ss.getId();
-        System.out.print("id = ");
-        toHex(id);
+        System.out.println("id = " + hex.formatHex(id));
         System.out.println("ss.getSessionContext().getSession(id) = " + ss.getSessionContext().getSession(id));
         if (ss.getSessionContext().getSession(id) != null) {
             id = ss.getSessionContext().getSession(id).getId();
-            System.out.print("id = ");
-            toHex(id);
+            System.out.println("id = " + hex.formatHex(id));
         }
         server.close(client1);
         client1.close();