Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/test/jdk/java/security/cert/CertPathValidator/OCSP/FailoverToCRL.java
41161 views
1
/*

2
 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.

8
 *

9
 * This code is distributed in the hope that it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

12
 * version 2 for more details (a copy is included in the LICENSE file that

13
 * accompanied this code).

14
 *

15
 * You should have received a copy of the GNU General Public License version

16
 * 2 along with this work; if not, write to the Free Software Foundation,

17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

18
 *

19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

20
 * or visit www.oracle.com if you need additional information or have any

21
 * questions.

22
 */

23


24
//

25
// Security properties, once set, cannot revert to unset.  To avoid

26
// conflicts with tests running in the same VM isolate this test by

27
// running it in otherVM mode.

28
//

29


30
/**

31
 * @test

32
 * @bug 6383095

33
 * @summary CRL revoked certificate failures masked by OCSP failures

34
 * @run main/othervm FailoverToCRL

35
 * @author Xuelei Fan

36
 */

37


38
/*

39
 * Note that the certificate validity is from Mar 16 14:55:35 2009 GMT to

40
 * Dec 1 14:55:35 2028 GMT, please update it with newer certificate if

41
 * expires.

42
 */

43


44
/*

45
 * Certificates used in the test.

46
 *

47
 * end entity certificate:

48
 * Data:

49
 *     Version: 3 (0x2)

50
 *     Serial Number: 25 (0x19)

51
 *     Signature Algorithm: md5WithRSAEncryption

52
 *     Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org

53
 *     Validity

54
 *         Not Before: Mar 16 14:55:35 2009 GMT

55
 *         Not After : Dec  1 14:55:35 2028 GMT

56
 *     Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Client,

57
 *              CN=localhost

58
 *     Subject Public Key Info:

59
 *         Public Key Algorithm: rsaEncryption

60
 *         RSA Public Key: (1024 bit)

61
 *             Modulus (1024 bit):

62
 *                 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69:

63
 *                 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f:

64
 *                 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7:

65
 *                 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21:

66
 *                 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41:

67
 *                 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10:

68
 *                 ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9:

69
 *                 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba:

70
 *                 75:8d:f5:82:ac:43:92:44:1b

71
 *             Exponent: 65537 (0x10001)

72
 *     X509v3 extensions:

73
 *         X509v3 Basic Constraints:

74
 *             CA:FALSE

75
 *         X509v3 Key Usage:

76
 *             Digital Signature, Non Repudiation, Key Encipherment

77
 *         X509v3 Subject Key Identifier:

78
 *             CD:BB:C8:85:AA:91:BD:FD:1D:BE:CD:67:7C:FF:B3:E9:4C:A8:22:E6

79
 *         X509v3 Authority Key Identifier:

80
 *             keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14

81
 * Signature Algorithm: md5WithRSAEncryption

82
 *

83
 *

84
 * trusted certificate authority:

85
 * Data:

86
 *     Version: 3 (0x2)

87
 *     Serial Number: 0 (0x0)

88
 *     Signature Algorithm: md5WithRSAEncryption

89
 *     Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org

90
 *     Validity

91
 *         Not Before: Dec  8 02:43:36 2008 GMT

92
 *         Not After : Aug 25 02:43:36 2028 GMT

93
 *     Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org

94
 *     Subject Public Key Info:

95
 *         Public Key Algorithm: rsaEncryption

96
 *         RSA Public Key: (1024 bit)

97
 *             Modulus (1024 bit):

98
 *                 00:cb:c4:38:20:07:be:88:a7:93:b0:a1:43:51:2d:

99
 *                 d7:8e:85:af:54:dd:ad:a2:7b:23:5b:cf:99:13:53:

100
 *                 99:45:7d:ee:6d:ba:2d:bf:e3:ad:6e:3d:9f:1a:f9:

101
 *                 03:97:e0:17:55:ae:11:26:57:de:01:29:8e:05:3f:

102
 *                 21:f7:e7:36:e8:2e:37:d7:48:ac:53:d6:60:0e:c7:

103
 *                 50:6d:f6:c5:85:f7:8b:a6:c5:91:35:72:3c:94:ee:

104
 *                 f1:17:f0:71:e3:ec:1b:ce:ca:4e:40:42:b0:6d:ee:

105
 *                 6a:0e:d6:e5:ad:3c:0f:c9:ba:82:4f:78:f8:89:97:

106
 *                 89:2a:95:12:4c:d8:09:2a:e9

107
 *             Exponent: 65537 (0x10001)

108
 *     X509v3 extensions:

109
 *         X509v3 Subject Key Identifier:

110
 *             FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14

111
 *         X509v3 Authority Key Identifier:

112
 *             keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14

113
 *             DirName:/C=US/ST=Some-State/L=Some-City/O=Some-Org

114
 *         X509v3 Basic Constraints:

115
 *             CA:TRUE

116
 * Signature Algorithm: md5WithRSAEncryption

117
 *

118
 * CRL:

119
 * Certificate Revocation List (CRL):

120
 *    Version 2 (0x1)

121
 *    Signature Algorithm: md5WithRSAEncryption

122
 *    Issuer: /C=US/ST=Some-State/L=Some-City/O=Some-Org

123
 *    Last Update: Mar 16 16:27:14 2009 GMT

124
 *    Next Update: May 15 16:27:14 2028 GMT

125
 *    CRL extensions:

126
 *       X509v3 CRL Number:

127
 *              2

128
 * Revoked Certificates:

129
 *    Serial Number: 19

130
 *        Revocation Date: Mar 16 16:22:08 2009 GMT

131
 *        CRL entry extensions:

132
 *            X509v3 CRL Reason Code:

133
 *                Superseded

134
 *    Signature Algorithm: md5WithRSAEncryption

135
 */

136


137
import java.io.*;

138
import java.net.SocketException;

139
import java.util.*;

140
import java.security.Security;

141
import java.security.cert.*;

142
import java.security.InvalidAlgorithmParameterException;

143
import java.security.cert.CertPathValidatorException.BasicReason;

144


145
public class FailoverToCRL {

146


147
    static String trusedCertStr =

148
        "-----BEGIN CERTIFICATE-----\n" +

149
        "MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +

150
        "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +

151
        "EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ\n" +

152
        "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +

153
        "dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" +

154
        "gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX\n" +

155
        "4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj\n" +

156
        "7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G\n" +

157
        "A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ\n" +

158
        "hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt\n" +

159
        "U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw\n" +

160
        "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA\n" +

161
        "ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ\n" +

162
        "LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P\n" +

163
        "6Mvf0r1PNTY2hwTJLJmKtg==\n" +

164
        "-----END CERTIFICATE-----";

165


166
    static String targetCertStr =

167
        "-----BEGIN CERTIFICATE-----\n" +

168
        "MIICizCCAfSgAwIBAgIBGTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" +

169
        "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" +

170
        "EwhTb21lLU9yZzAeFw0wOTAzMTYxNDU1MzVaFw0yODEyMDExNDU1MzVaMHIxCzAJ\n" +

171
        "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" +

172
        "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD\n" +

173
        "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas\n" +

174
        "JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV\n" +

175
        "8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq\n" +

176
        "ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjWjBYMAkGA1UdEwQCMAAw\n" +

177
        "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV\n" +

178
        "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDANBgkqhkiG9w0BAQQFAAOBgQBv\n" +

179
        "p7JjCDOrMBNun46xs4Gz7Y4ygM5VHaFP0oO7369twvRSu0pCuIdZd5OIMPFeRqQw\n" +

180
        "PA68ZdhYVR0pG5W7isV+jB+Dfge/IOgOA85sZ/6FlP3PBRW+YMQKKdRr5So3ook9\n" +

181
        "PimQ7rbxRAofPECv20IUKFBbOUkU+gFcn+WbTKYxBw==\n" +

182
        "-----END CERTIFICATE-----";

183


184
    static String crlStr =

185
        "-----BEGIN X509 CRL-----\n" +

186
        "MIIBRTCBrwIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzETMBEGA1UE\n" +

187
        "CBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQKEwhTb21l\n" +

188
        "LU9yZxcNMDkwMzE2MTYyNzE0WhcNMjgwNTE1MTYyNzE0WjAiMCACARkXDTA5MDMx\n" +

189
        "NjE2MjIwOFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcN\n" +

190
        "AQEEBQADgYEAMixJI9vBwYpOGosn46+T/MTEtlm2S5pIVT/xPDrHkCPfw8l4Zrgp\n" +

191
        "dGPuUkglWdrGdxY9MNRUj2YFNfdZi6zZ7JF6XbkDHYOAKYgPDJRjS/0VcBntn5RJ\n" +

192
        "sQfZsBqc9fFSP8gknRRn3LT41kr9xNRxTT1t3YYjv7J3zkMYyInqeUA=\n" +

193
        "-----END X509 CRL-----";

194


195


196
    private static CertPath generateCertificatePath()

197
            throws CertificateException {

198
        // generate certificate from cert strings

199
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

200


201
        ByteArrayInputStream is =

202
                new ByteArrayInputStream(targetCertStr.getBytes());

203
        Certificate targetCert = cf.generateCertificate(is);

204


205
        // generate certification path

206
        List<Certificate> list = Arrays.asList(new Certificate[] {targetCert});

207


208
        return cf.generateCertPath(list);

209
    }

210


211
    private static Set<TrustAnchor> generateTrustAnchors()

212
            throws CertificateException {

213
        // generate certificate from cert string

214
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

215


216
        ByteArrayInputStream is =

217
                    new ByteArrayInputStream(trusedCertStr.getBytes());

218
        Certificate trusedCert = cf.generateCertificate(is);

219


220
        // generate a trust anchor

221
        TrustAnchor anchor = new TrustAnchor((X509Certificate)trusedCert, null);

222


223
        return Collections.singleton(anchor);

224
    }

225


226
    private static CertStore generateCertificateStore() throws Exception {

227
        // generate CRL from CRL string

228
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

229


230
        ByteArrayInputStream is =

231
                    new ByteArrayInputStream(crlStr.getBytes());

232


233
        // generate a cert store

234
        Collection<? extends CRL> crls = cf.generateCRLs(is);

235
        return CertStore.getInstance("Collection",

236
                            new CollectionCertStoreParameters(crls));

237
    }

238


239
    public static void main(String args[]) throws Exception {

240
        // MD5 is used in this test case, don't disable MD5 algorithm.

241
        Security.setProperty(

242
                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");

243


244
        CertPath path = generateCertificatePath();

245
        Set<TrustAnchor> anchors = generateTrustAnchors();

246
        CertStore crls = generateCertificateStore();

247


248
        PKIXParameters params = new PKIXParameters(anchors);

249


250
        // add the CRL store

251
        params.addCertStore(crls);

252


253
        // Activate certificate revocation checking

254
        params.setRevocationEnabled(true);

255


256
        // Activate OCSP

257
        Security.setProperty("ocsp.enable", "true");

258
        System.setProperty("com.sun.security.enableCRLDP", "true");

259


260
        // Ensure that the ocsp.responderURL property is not set.

261
        if (Security.getProperty("ocsp.responderURL") != null) {

262
            throw new

263
                Exception("The ocsp.responderURL property must not be set");

264
        }

265


266
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");

267


268
        try {

269
            validator.validate(path, params);

270
        } catch (CertPathValidatorException cpve) {

271
            if (cpve.getReason() != BasicReason.REVOKED) {

272
                throw new Exception(

273
                    "unexpected exception, should be a REVOKED CPVE", cpve);

274
            }

275
        }

276
    }

277
}

278


279