1
/*
2
 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
//
25
// Security properties, once set, cannot revert to unset.  To avoid
26
// conflicts with tests running in the same VM isolate this test by
27
// running it in otherVM mode.
28
//
29

30
/**
31
 * @test
32
 *
33
 * @bug 6720721
34
 * @summary CRL check with circular depency support needed
35
 * @run main/othervm CircularCRLOneLevelRevoked
36
 * @author Xuelei Fan
37
 */
38

39
import java.io.*;
40
import java.net.SocketException;
41
import java.util.*;
42
import java.security.Security;
43
import java.security.cert.*;
44
import java.security.cert.CertPathValidatorException.BasicReason;
45

46
public class CircularCRLOneLevelRevoked {
47

48
    static String selfSignedCertStr =
49
        "-----BEGIN CERTIFICATE-----\n" +
50
        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
51
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
52
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
53
        "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
54
        "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
55
        "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
56
        "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
57
        "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
58
        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
59
        "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
60
        "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
61
        "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
62
        "Vjw=\n" +
63
        "-----END CERTIFICATE-----";
64

65
    static String dumCaCertStr =
66
        "-----BEGIN CERTIFICATE-----\n" +
67
        "MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
68
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" +
69
        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
70
        "cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" +
71
        "0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" +
72
        "bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" +
73
        "f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" +
74
        "/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
75
        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
76
        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" +
77
        "EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" +
78
        "TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" +
79
        "mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" +
80
        "-----END CERTIFICATE-----";
81

82
    // a revoked certificate
83
    static String targetCertStr = dumCaCertStr;
84

85
    static String crlIssuerCertStr =
86
        "-----BEGIN CERTIFICATE-----\n" +
87
        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
88
        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
89
        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
90
        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
91
        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
92
        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
93
        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
94
        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
95
        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
96
        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
97
        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
98
        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
99
        "-----END CERTIFICATE-----";
100

101
    static String crlStr =
102
        "-----BEGIN X509 CRL-----\n" +
103
        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
104
        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
105
        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
106
        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
107
        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
108
        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
109
        "-----END X509 CRL-----";
110

111
    private static CertPath generateCertificatePath()
112
            throws CertificateException {
113
        // generate certificate from cert strings
114
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
115

116
        ByteArrayInputStream is;
117

118
        is = new ByteArrayInputStream(targetCertStr.getBytes());
119
        Certificate targetCert = cf.generateCertificate(is);
120

121
        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
122
        Certificate selfSignedCert = cf.generateCertificate(is);
123

124
        // generate certification path
125
        List<Certificate> list = Arrays.asList(new Certificate[] {
126
                        targetCert, selfSignedCert});
127

128
        return cf.generateCertPath(list);
129
    }
130

131
    private static Set<TrustAnchor> generateTrustAnchors()
132
            throws CertificateException {
133
        // generate certificate from cert string
134
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
135

136
        ByteArrayInputStream is =
137
                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
138
        Certificate selfSignedCert = cf.generateCertificate(is);
139

140
        // generate a trust anchor
141
        TrustAnchor anchor =
142
            new TrustAnchor((X509Certificate)selfSignedCert, null);
143

144
        return Collections.singleton(anchor);
145
    }
146

147
    private static CertStore generateCertificateStore() throws Exception {
148
        // generate CRL from CRL string
149
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
150

151
        ByteArrayInputStream is =
152
                    new ByteArrayInputStream(crlStr.getBytes());
153

154
        // generate a cert store
155
        Collection crls = cf.generateCRLs(is);
156

157
        is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
158
        Collection certs = cf.generateCertificates(is);
159

160
        Collection entries = new HashSet();
161
        entries.addAll(crls);
162
        entries.addAll(certs);
163

164
        return CertStore.getInstance("Collection",
165
                            new CollectionCertStoreParameters(entries));
166
    }
167

168
    public static void main(String args[]) throws Exception {
169
        // MD5 is used in this test case, don't disable MD5 algorithm.
170
        Security.setProperty(
171
                "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");
172

173
        CertPath path = generateCertificatePath();
174
        Set<TrustAnchor> anchors = generateTrustAnchors();
175
        CertStore crls = generateCertificateStore();
176

177
        PKIXParameters params = new PKIXParameters(anchors);
178

179
        // add the CRL store
180
        params.addCertStore(crls);
181

182
        // Activate certificate revocation checking
183
        params.setRevocationEnabled(true);
184

185
        // set the validation time
186
        params.setDate(new Date(109, 5, 1));   // 2009-05-01
187

188
        // disable OCSP checker
189
        Security.setProperty("ocsp.enable", "false");
190

191
        // enable CRL checker
192
        System.setProperty("com.sun.security.enableCRLDP", "true");
193

194
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
195

196
        try {
197
            validator.validate(path, params);
198
            throw new Exception("unexpected status, should be REVOKED");
199
        } catch (CertPathValidatorException cpve) {
200
            if (cpve.getReason() != BasicReason.REVOKED) {
201
                throw new Exception(
202
                    "unexpected exception, should be a REVOKED CPVE", cpve);
203
            }
204
        }
205

206
    }
207
}
208

209