CoCalc -- StatusLoopDependency.java

GitHub Repository: PojavLauncherTeam/mobile
Path: blob/master/test/jdk/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java
⁴¹¹⁶¹ views
1
/*
2
 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
//
25
// Security properties, once set, cannot revert to unset.  To avoid
26
// conflicts with tests running in the same VM isolate this test by
27
// running it in otherVM mode.
28
//
29

30
/**
31
 * @test
32
 * @bug 6852744
33
 * @summary PIT b61: PKI test suite fails because self signed certificates
34
 *          are being rejected
35
 * @modules java.base/sun.security.util
36
 * @run main/othervm StatusLoopDependency subca
37
 * @run main/othervm StatusLoopDependency subci
38
 * @run main/othervm StatusLoopDependency alice
39
 * @author Xuelei Fan
40
 */
41

42
import java.io.*;
43
import java.net.SocketException;
44
import java.util.*;
45
import java.security.Security;
46
import java.security.cert.*;
47
import java.security.cert.CertPathValidatorException.BasicReason;
48
import sun.security.util.DerInputStream;
49

50
/**
51
 * KeyUsage extension plays a important rule during looking for the issuer
52
 * of a certificate or CRL. A certificate issuer should have the keyCertSign
53
 * bit set, and a CRL issuer should have the cRLSign bit set.
54
 *
55
 * Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
56
 * as would be troublesome to find the proper CRL issuer during certificate
57
 * path build if the delegated CRL issuer is a self-issued certificate, for
58
 * it is hard to identify it from its issuer by the "issuer" field only.
59
 *
60
 * In the test case, the delegated CRL issuers have keyCertSign bit set, and
61
 * the CAs have the cRLSign bit set also. If we cannot identify the delegated
62
 * CRL issuer from its issuer, there is a potential loop to find the correct
63
 * CRL.
64
 *
65
 * And when revocation enabled, needs to check the status of the delegated
66
 * CRL issuers. If the delegated CRL issuer issues itself status, there is
67
 * a potential loop to verify the CRL and check the status of delegated CRL
68
 * issuer.
69
 *
70
 * The fix of 6852744 should addresses above issues.
71
 */
72
public final class StatusLoopDependency {
73

74
    // the trust anchor
75
    static String selfSignedCertStr =
76
        "-----BEGIN CERTIFICATE-----\n" +
77
        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
78
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +
79
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
80
        "AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +
81
        "81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +
82
        "m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +
83
        "AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +
84
        "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
85
        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
86
        "DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +
87
        "ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +
88
        "DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +
89
        "v/E=\n" +
90
        "-----END CERTIFICATE-----";
91

92
    // the sub-ca
93
    static String subCaCertStr =
94
        "-----BEGIN CERTIFICATE-----\n" +
95
        "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
96
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +
97
        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
98
        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +
99
        "srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +
100
        "+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +
101
        "E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +
102
        "KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
103
        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
104
        "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +
105
        "MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +
106
        "RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +
107
        "iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +
108
        "-----END CERTIFICATE-----";
109

110
    // a delegated CRL issuer, it's a self-issued certificate of trust anchor
111
    static String topCrlIssuerCertStr =
112
        "-----BEGIN CERTIFICATE-----\n" +
113
        "MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
114
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +
115
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
116
        "AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +
117
        "/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +
118
        "hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +
119
        "AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +
120
        "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
121
        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
122
        "DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +
123
        "xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +
124
        "rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +
125
        "G0c=\n" +
126
        "-----END CERTIFICATE-----";
127

128
    // a delegated CRL issuer, it's a self-issued certificate of sub-ca
129
    static String subCrlIssuerCertStr =
130
        "-----BEGIN CERTIFICATE-----\n" +
131
        "MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
132
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +
133
        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
134
        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +
135
        "OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +
136
        "obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +
137
        "GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +
138
        "xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
139
        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
140
        "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +
141
        "Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +
142
        "pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +
143
        "Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +
144
        "-----END CERTIFICATE-----";
145

146
    // the target EE certificate
147
    static String targetCertStr =
148
        "-----BEGIN CERTIFICATE-----\n" +
149
        "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
150
        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +
151
        "MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
152
        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
153
        "9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +
154
        "T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +
155
        "1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +
156
        "cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +
157
        "uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +
158
        "9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +
159
        "yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +
160
        "G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +
161
        "-----END CERTIFICATE-----";
162

163
    // CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
164
    static String topCrlStr =
165
        "-----BEGIN X509 CRL-----\n" +
166
        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
167
        "ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX\n" +
168
        "DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ\n" +
169
        "KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1\n" +
170
        "v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN\n" +
171
        "GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=\n" +
172
        "-----END X509 CRL-----";
173

174
    // CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
175
    static String subCrlStr =
176
        "-----BEGIN X509 CRL-----\n" +
177
        "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
178
        "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw\n" +
179
        "ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO\n" +
180
        "MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO\n" +
181
        "oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe\n" +
182
        "5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr\n" +
183
        "N9AvUXxGxU4DruoJuFPcrCI=\n" +
184
        "-----END X509 CRL-----";
185

186
    private static Set<TrustAnchor> generateTrustAnchors()
187
            throws CertificateException {
188
        // generate certificate from cert string
189
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
190

191
        ByteArrayInputStream is =
192
                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
193
        Certificate selfSignedCert = cf.generateCertificate(is);
194

195
        // generate a trust anchor
196
        TrustAnchor anchor =
197
            new TrustAnchor((X509Certificate)selfSignedCert, null);
198

199
        return Collections.singleton(anchor);
200
    }
201

202
    private static CertStore generateCertificateStore() throws Exception {
203
        Collection entries = new HashSet();
204

205
        // generate certificate from certificate string
206
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
207

208
        ByteArrayInputStream is;
209

210
        is = new ByteArrayInputStream(targetCertStr.getBytes());
211
        Certificate cert = cf.generateCertificate(is);
212
        entries.add(cert);
213

214
        is = new ByteArrayInputStream(subCaCertStr.getBytes());
215
        cert = cf.generateCertificate(is);
216
        entries.add(cert);
217

218
        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
219
        cert = cf.generateCertificate(is);
220
        entries.add(cert);
221

222
        is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
223
        cert = cf.generateCertificate(is);
224
        entries.add(cert);
225

226
        is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
227
        cert = cf.generateCertificate(is);
228
        entries.add(cert);
229

230
        // generate CRL from CRL string
231
        is = new ByteArrayInputStream(topCrlStr.getBytes());
232
        Collection mixes = cf.generateCRLs(is);
233
        entries.addAll(mixes);
234

235
        is = new ByteArrayInputStream(subCrlStr.getBytes());
236
        mixes = cf.generateCRLs(is);
237
        entries.addAll(mixes);
238

239
        return CertStore.getInstance("Collection",
240
                            new CollectionCertStoreParameters(entries));
241
    }
242

243
    private static X509CertSelector generateSelector(String name)
244
                throws Exception {
245
        X509CertSelector selector = new X509CertSelector();
246

247
        // generate certificate from certificate string
248
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
249
        ByteArrayInputStream is = null;
250
        if (name.equals("subca")) {
251
            is = new ByteArrayInputStream(subCaCertStr.getBytes());
252
        } else if (name.equals("subci")) {
253
            is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
254
        } else {
255
            is = new ByteArrayInputStream(targetCertStr.getBytes());
256
        }
257

258
        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
259
        byte[] extVal = target.getExtensionValue("2.5.29.14");
260
        if (extVal != null) {
261
            DerInputStream in = new DerInputStream(extVal);
262
            byte[] subjectKID = in.getOctetString();
263
            selector.setSubjectKeyIdentifier(subjectKID);
264
        } else {
265
            // unlikely to happen.
266
            throw new Exception("unexpected certificate: no SKID extension");
267
        }
268

269
        return selector;
270
    }
271

272
    private static boolean match(String name, Certificate cert)
273
                throws Exception {
274
        X509CertSelector selector = new X509CertSelector();
275

276
        // generate certificate from certificate string
277
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
278
        ByteArrayInputStream is = null;
279
        if (name.equals("subca")) {
280
            is = new ByteArrayInputStream(subCaCertStr.getBytes());
281
        } else if (name.equals("subci")) {
282
            is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
283
        } else {
284
            is = new ByteArrayInputStream(targetCertStr.getBytes());
285
        }
286
        X509Certificate target = (X509Certificate)cf.generateCertificate(is);
287

288
        return target.equals(cert);
289
    }
290

291

292
    public static void main(String[] args) throws Exception {
293
        // MD5 is used in this test case, don't disable MD5 algorithm.
294
        Security.setProperty(
295
                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
296

297
        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
298

299
        X509CertSelector selector = generateSelector(args[0]);
300

301
        Set<TrustAnchor> anchors = generateTrustAnchors();
302
        CertStore certs = generateCertificateStore();
303

304

305
        PKIXBuilderParameters params =
306
                new PKIXBuilderParameters(anchors, selector);
307
        params.addCertStore(certs);
308
        params.setRevocationEnabled(true);
309
        params.setDate(new Date(109, 7, 1));   // 2009-07-01
310
        Security.setProperty("ocsp.enable", "false");
311
        System.setProperty("com.sun.security.enableCRLDP", "true");
312

313
        PKIXCertPathBuilderResult result =
314
                (PKIXCertPathBuilderResult)builder.build(params);
315

316
        if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
317
            throw new Exception("unexpected certificate");
318
        }
319
    }
320
}
321

322
Product

Resources

Company
