CoCalc -- KeyUsageMatters.java

GitHub Repository: PojavLauncherTeam/mobile
Path: blob/master/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
⁴¹¹⁶¹ views
1
/*
2
 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
//
25
// Security properties, once set, cannot revert to unset.  To avoid
26
// conflicts with tests running in the same VM isolate this test by
27
// running it in otherVM mode.
28
//
29

30
/**
31
 * @test
32
 * @bug 6852744 8133489
33
 * @summary PIT b61: PKI test suite fails because self signed certificates
34
 *          are being rejected
35
 * @modules java.base/sun.security.util
36
 * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subca
37
 * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subci
38
 * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters alice
39
 * @author Xuelei Fan
40
 */
41

42
import java.io.*;
43
import java.net.SocketException;
44
import java.util.*;
45
import java.security.Security;
46
import java.security.cert.*;
47
import java.security.cert.CertPathValidatorException.BasicReason;
48
import sun.security.util.DerInputStream;
49

50
/**
51
 * KeyUsage extension plays a important rule during looking for the issuer
52
 * of a certificate or CRL. A certificate issuer should have the keyCertSign
53
 * bit set, and a CRL issuer should have the cRLSign bit set.
54
 *
55
 * Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
56
 * as would be troublesome to find the proper CRL issuer during certificate
57
 * path build if the delegated CRL issuer is a self-issued certificate, for
58
 * it is hard to identify it from its issuer by the "issuer" field only.
59
 *
60
 * The fix of 6852744 should addresses above issue, and allow a delegated CRL
61
 * issuer to have keyCertSign bit set.
62
 *
63
 * In the test case, the delegated CRL issuers have cRLSign bit set only, and
64
 * the CAs have the keyCertSign bit set only, it is expected to work before
65
 * and after the bug fix of 6852744.
66
 */
67
public final class KeyUsageMatters {
68

69
    // the trust anchor
70
    static String selfSignedCertStr =
71
        "-----BEGIN CERTIFICATE-----\n" +
72
        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
73
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
74
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
75
        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
76
        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
77
        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
78
        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
79
        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
80
        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
81
        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
82
        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
83
        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
84
        "Vjw=\n" +
85
        "-----END CERTIFICATE-----";
86

87
    // the sub-ca
88
    static String subCaCertStr =
89
        "-----BEGIN CERTIFICATE-----\n" +
90
        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
91
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
92
        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
93
        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
94
        "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
95
        "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
96
        "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
97
        "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
98
        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
99
        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
100
        "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
101
        "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
102
        "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
103
        "-----END CERTIFICATE-----";
104

105
    // a delegated CRL issuer, it's a self-issued certificate of trust anchor
106
    static String topCrlIssuerCertStr =
107
        "-----BEGIN CERTIFICATE-----\n" +
108
        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
109
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
110
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
111
        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
112
        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
113
        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
114
        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
115
        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
116
        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
117
        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
118
        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
119
        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
120
        "-----END CERTIFICATE-----";
121

122
    // a delegated CRL issuer, it's a self-issued certificate of sub-ca
123
    static String subCrlIssuerCertStr =
124
        "-----BEGIN CERTIFICATE-----\n" +
125
        "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
126
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
127
        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
128
        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
129
        "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
130
        "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
131
        "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
132
        "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
133
        "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
134
        "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
135
        "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
136
        "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
137
        "rg==\n" +
138
        "-----END CERTIFICATE-----";
139

140
    // the target EE certificate
141
    static String targetCertStr =
142
        "-----BEGIN CERTIFICATE-----\n" +
143
        "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
144
        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
145
        "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
146
        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
147
        "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
148
        "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
149
        "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
150
        "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
151
        "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
152
        "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
153
        "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
154
        "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
155
        "-----END CERTIFICATE-----";
156

157
    // CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
158
    static String topCrlStr =
159
        "-----BEGIN X509 CRL-----\n" +
160
        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
161
        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
162
        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
163
        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
164
        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
165
        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
166
        "-----END X509 CRL-----";
167

168
    // CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
169
    static String subCrlStr =
170
        "-----BEGIN X509 CRL-----\n" +
171
        "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
172
        "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
173
        "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
174
        "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
175
        "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
176
        "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
177
        "ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
178
        "-----END X509 CRL-----";
179

180
    private static Set<TrustAnchor> generateTrustAnchors()
181
            throws CertificateException {
182
        // generate certificate from cert string
183
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
184

185
        ByteArrayInputStream is =
186
                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
187
        Certificate selfSignedCert = cf.generateCertificate(is);
188

189
        // generate a trust anchor
190
        TrustAnchor anchor =
191
            new TrustAnchor((X509Certificate)selfSignedCert, null);
192

193
        return Collections.singleton(anchor);
194
    }
195

196
    private static CertStore generateCertificateStore() throws Exception {
197
        Collection entries = new HashSet();
198

199
        // generate certificate from certificate string
200
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
201

202
        ByteArrayInputStream is;
203

204
        is = new ByteArrayInputStream(targetCertStr.getBytes());
205
        Certificate cert = cf.generateCertificate(is);
206
        entries.add(cert);
207

208
        is = new ByteArrayInputStream(subCaCertStr.getBytes());
209
        cert = cf.generateCertificate(is);
210
        entries.add(cert);
211

212
        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
213
        cert = cf.generateCertificate(is);
214
        entries.add(cert);
215

216
        is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
217
        cert = cf.generateCertificate(is);
218
        entries.add(cert);
219

220
        is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
221
        cert = cf.generateCertificate(is);
222
        entries.add(cert);
223

224
        // generate CRL from CRL string
225
        is = new ByteArrayInputStream(topCrlStr.getBytes());
226
        Collection mixes = cf.generateCRLs(is);
227
        entries.addAll(mixes);
228

229
        is = new ByteArrayInputStream(subCrlStr.getBytes());
230
        mixes = cf.generateCRLs(is);
231
        entries.addAll(mixes);
232

233
        return CertStore.getInstance("Collection",
234
                            new CollectionCertStoreParameters(entries));
235
    }
236

237
    private static X509CertSelector generateSelector(String name)
238
                throws Exception {
239
        X509CertSelector selector = new X509CertSelector();
240

241
        // generate certificate from certificate string
242
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
243
        ByteArrayInputStream is = null;
244
        if (name.equals("subca")) {
245
            is = new ByteArrayInputStream(subCaCertStr.getBytes());
246
        } else if (name.equals("subci")) {
247
            is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
248
        } else {
249
            is = new ByteArrayInputStream(targetCertStr.getBytes());
250
        }
251

252
        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
253
        byte[] extVal = target.getExtensionValue("2.5.29.14");
254
        if (extVal != null) {
255
            DerInputStream in = new DerInputStream(extVal);
256
            byte[] subjectKID = in.getOctetString();
257
            selector.setSubjectKeyIdentifier(subjectKID);
258
        } else {
259
            // unlikely to happen.
260
            throw new Exception("unexpected certificate: no SKID extension");
261
        }
262

263
        return selector;
264
    }
265

266
    private static boolean match(String name, Certificate cert)
267
                throws Exception {
268
        X509CertSelector selector = new X509CertSelector();
269

270
        // generate certificate from certificate string
271
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
272
        ByteArrayInputStream is = null;
273
        if (name.equals("subca")) {
274
            is = new ByteArrayInputStream(subCaCertStr.getBytes());
275
        } else if (name.equals("subci")) {
276
            is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
277
        } else {
278
            is = new ByteArrayInputStream(targetCertStr.getBytes());
279
        }
280
        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
281

282
        return target.equals(cert);
283
    }
284

285

286
    public static void main(String[] args) throws Exception {
287
        // MD5 is used in this test case, don't disable MD5 algorithm.
288
        Security.setProperty(
289
                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
290

291
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
292

293
        X509CertSelector selector = generateSelector(args[0]);
294

295
        Set<TrustAnchor> anchors = generateTrustAnchors();
296
        CertStore certs = generateCertificateStore();
297

298

299
        PKIXBuilderParameters params =
300
                new PKIXBuilderParameters(anchors, selector);
301
        params.addCertStore(certs);
302
        params.setRevocationEnabled(true);
303
        params.setDate(new Date(109, 5, 1));   // 2009-05-01
304
        Security.setProperty("ocsp.enable", "false");
305
        System.setProperty("com.sun.security.enableCRLDP", "true");
306

307
        PKIXCertPathBuilderResult result =
308
                (PKIXCertPathBuilderResult)builder.build(params);
309

310
        if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
311
            throw new Exception("unexpected certificate");
312
        }
313
    }
314
}
315

316
Product

Resources

Company
