Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/mobile
 Path: blob/master/test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java
41161 views
1
/*

2
 * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.

8
 *

9
 * This code is distributed in the hope that it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

12
 * version 2 for more details (a copy is included in the LICENSE file that

13
 * accompanied this code).

14
 *

15
 * You should have received a copy of the GNU General Public License version

16
 * 2 along with this work; if not, write to the Free Software Foundation,

17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

18
 *

19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

20
 * or visit www.oracle.com if you need additional information or have any

21
 * questions.

22
 */

23


24
/**

25
 * @test

26
 * @bug 8179503

27
 * @summary Java should support GET OCSP calls

28
 * @library /javax/net/ssl/templates /java/security/testlibrary

29
 * @build SimpleOCSPServer

30
 * @modules java.base/sun.security.util

31
 *          java.base/sun.security.provider.certpath

32
 *          java.base/sun.security.x509

33
 * @run main/othervm GetAndPostTests

34
 */

35


36
import java.io.ByteArrayInputStream;

37
import java.io.IOException;

38
import java.io.OutputStream;

39
import java.net.URI;

40
import java.security.GeneralSecurityException;

41
import java.security.KeyFactory;

42
import java.security.KeyStore;

43
import java.security.PrivateKey;

44
import java.security.SecureRandom;

45
import java.security.cert.CertPath;

46
import java.security.cert.CertPathValidator;

47
import java.security.cert.Certificate;

48
import java.security.cert.CertificateException;

49
import java.security.cert.CertificateFactory;

50
import java.security.cert.Extension;

51
import java.security.cert.PKIXCertPathChecker;

52
import java.security.cert.PKIXParameters;

53
import java.security.cert.PKIXRevocationChecker;

54
import java.security.cert.TrustAnchor;

55
import java.security.cert.X509Certificate;

56
import java.security.spec.PKCS8EncodedKeySpec;

57
import java.util.Base64;

58
import java.util.Date;

59
import java.util.List;

60
import java.util.Map;

61
import java.util.Objects;

62
import java.util.Set;

63
import sun.security.testlibrary.SimpleOCSPServer;

64
import sun.security.testlibrary.SimpleOCSPServer;

65
import sun.security.testlibrary.SimpleOCSPServer;

66
import sun.security.util.DerOutputStream;

67
import sun.security.util.DerValue;

68
import sun.security.util.ObjectIdentifier;

69
import sun.security.testlibrary.SimpleOCSPServer;

70


71
public class GetAndPostTests {

72
    private static final String PASS = "passphrase";

73
    private static CertificateFactory certFac;

74


75
    public static void main(String args[]) throws Exception {

76
        SimpleOCSPServer ocspResponder = null;

77


78
        try {

79
            certFac = CertificateFactory.getInstance("X.509");

80


81
            // Read in the certificates and keys needed for this test and

82
            // create the keystore for the SimpleOCSPServer.  For the purposes

83
            // of this test, the CA certificate will also be the OCSP responder

84
            // signing certificate.

85
            SSLSocketTemplate.Cert certAuth =

86
                    SSLSocketTemplate.Cert.CA_ECDSA_SECP256R1;

87
            X509Certificate caCert = pem2Cert(certAuth.certStr);

88
            PrivateKey caKey = pem2Key(certAuth.privKeyStr, certAuth.keyAlgo);

89
            X509Certificate endEntCert =

90
                    pem2Cert(SSLSocketTemplate.Cert.EE_ECDSA_SECP256R1.certStr);

91


92
            KeyStore.Builder keyStoreBuilder =

93
                    KeyStore.Builder.newInstance("PKCS12", null,

94
                        new KeyStore.PasswordProtection(PASS.toCharArray()));

95
            KeyStore ocspStore = keyStoreBuilder.getKeyStore();

96
            Certificate[] ocspChain = {caCert};

97
            ocspStore.setKeyEntry("ocspsigner", caKey, PASS.toCharArray(),

98
                    ocspChain);

99


100
            // Create the certificate path we'll use for cert path validation.

101
            CertPath path = certFac.generateCertPath(List.of(endEntCert));

102


103
            // Next, create and start the OCSP responder.  Obtain the socket

104
            // address so we can set that in the PKIXRevocationChecker since

105
            // these certificates do not have AIA extensions on them.

106
            ocspResponder = new SimpleOCSPServer(ocspStore, PASS,

107
                    "ocspsigner", null);

108
            ocspResponder.setSignatureAlgorithm("SHA256WithECDSA");

109
            ocspResponder.enableLog(true);

110
            ocspResponder.setNextUpdateInterval(3600);

111
            ocspResponder.updateStatusDb(Map.of(

112
                    endEntCert.getSerialNumber(),

113
                    new SimpleOCSPServer.CertStatusInfo(

114
                            SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD)));

115
            ocspResponder.start();

116
            // Wait 5 seconds for server ready

117
            for (int i = 0; (i < 100 && !ocspResponder.isServerReady()); i++) {

118
                Thread.sleep(50);

119
            }

120
            if (!ocspResponder.isServerReady()) {

121
                throw new RuntimeException("Server not ready yet");

122
            }

123


124
            int ocspPort = ocspResponder.getPort();

125
            URI ocspURI = new URI("http://localhost:" + ocspPort);

126
            System.out.println("Configured CPV to connect to " + ocspURI);

127


128
            // Create the PKIXParameters needed for path validation and

129
            // configure any necessary OCSP parameters to control the OCSP

130
            // request size.

131
            Set<TrustAnchor> anchors = Set.of(new TrustAnchor(caCert, null));

132


133
            CertPathValidator validator = CertPathValidator.getInstance("PKIX");

134
            PKIXRevocationChecker revChkr =

135
                    (PKIXRevocationChecker)validator.getRevocationChecker();

136
            revChkr.setOcspResponder(ocspURI);

137
            revChkr.setOptions(Set.of(

138
                    PKIXRevocationChecker.Option.ONLY_END_ENTITY,

139
                    PKIXRevocationChecker.Option.NO_FALLBACK));

140


141
            PKIXParameters params = new PKIXParameters(anchors);

142
            params.setRevocationEnabled(true);

143
            params.setDate(new Date(1590926400000L)); // 05/31/2020 @ 12:00:00Z

144
            params.addCertPathChecker(revChkr);

145


146
            System.out.println("Test 1: Request < 255 bytes, HTTP GET");

147
            validator.validate(path, params);

148


149
            System.out.println("Test 2: Request > 255 bytes, HTTP POST");

150
            // Modify the PKIXRevocationChecker to include a bogus non-critical

151
            // request extension that makes the request large enough to be

152
            // issued as an HTTP POST.

153
            List<PKIXCertPathChecker> chkrList = params.getCertPathCheckers();

154
            for (PKIXCertPathChecker chkr : chkrList) {

155
                if (chkr instanceof PKIXRevocationChecker) {

156
                    ((PKIXRevocationChecker)chkr).setOcspExtensions(

157
                            List.of(new BogusExtension("1.2.3.4.5.6.7.8.9",

158
                                    false, 256)));

159
                }

160
            }

161
            params.setCertPathCheckers(chkrList);

162
            validator.validate(path, params);

163


164
        } finally {

165
            if (ocspResponder != null) {

166
                ocspResponder.stop();

167
            }

168
        }

169
    }

170


171
    /**

172
     * Create an X509Certificate object from its PEM encoding

173
     *

174
     * @param pemCert the base64 encoded certificate

175
     *

176
     * @return the corresponding X509Certificate object from the PEM encoding.

177
     *

178
     * @throws IOException if any InputStream or Base64 decoding failures occur.

179
     * @throws CertificateException if any certificate parsing errors occur.

180
     */

181
    private static X509Certificate pem2Cert(String pemCert)

182
            throws IOException, CertificateException {

183
        return (X509Certificate)certFac.generateCertificate(

184
                new ByteArrayInputStream(pemCert.getBytes()));

185
    }

186


187
    /**

188
     * Create a private key from its PEM-encoded PKCS#8 representation.

189
     *

190
     * @param pemKey the private key in PEM-encoded PKCS#8 unencrypted format

191
     * @param algorithm the private key algorithm

192
     *

193
     * @return the PrivateKey extracted from the PKCS#8 encoding.

194
     *

195
     * @throws GeneralSecurityException if any errors take place during

196
     * decoding or parsing.

197
     */

198
    private static PrivateKey pem2Key(String pemKey, String algorithm)

199
            throws GeneralSecurityException {

200
        byte[] p8Der = Base64.getMimeDecoder().decode(pemKey);

201
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(p8Der, algorithm);

202
        KeyFactory kf = KeyFactory.getInstance(algorithm);

203
        return kf.generatePrivate(spec);

204
    }

205


206
    /**

207
     * The BogusOcspExtension is an extension with random data in the

208
     * extension value field.  It is used in this test to expand the size

209
     * of the OCSP request so it crosses the boundary that forces an HTTP

210
     * POST operation instead of a GET.

211
     */

212
    private static class BogusExtension implements Extension {

213
        private final ObjectIdentifier oid;

214
        private final boolean critical;

215
        private final byte[] data;

216


217
        public BogusExtension(String oidStr, boolean isCrit, int size)

218
                throws IOException {

219
            // For this test we don't need anything larger than 10K

220
            if (size > 0 && size <= 10240) {

221
                data = new byte[size];

222
            } else {

223
                throw new IllegalArgumentException(

224
                        "Size must be 0 < X <= 10240");

225
            }

226
            oid = ObjectIdentifier.of(oidStr);

227
            SecureRandom sr = new SecureRandom();

228
            sr.nextBytes(data);

229
            critical = isCrit;

230
        }

231


232
        @Override

233
        public String getId() {

234
            return oid.toString();

235
        }

236


237
        @Override

238
        public boolean isCritical() {

239
            return critical;

240
        }

241


242
        @Override

243
        public byte[] getValue() {

244
            return data.clone();

245
        }

246


247
        @Override

248
        public void encode(OutputStream out) throws IOException {

249
            Objects.requireNonNull(out, "Non-null OutputStream required");

250


251
            DerOutputStream dos1 = new DerOutputStream();

252
            DerOutputStream dos2 = new DerOutputStream();

253


254
            dos1.putOID(oid);

255
            if (critical) {

256
                dos1.putBoolean(critical);

257
            }

258
            dos1.putOctetString(data);

259


260
            dos2.write(DerValue.tag_Sequence, dos1);

261
            out.write(dos2.toByteArray());

262
        }

263
    }

264
}

265


266