Path: blob/master/test/jdk/java/security/cert/CertificateFactory/invalidEncodedCerts/DetectInvalidEncoding.java
41159 views
/*1* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/**24* @test25* @bug 4776466 803257326* @summary check that CertificateFactory rejects invalid encoded X.509 certs27*/2829import java.io.*;30import java.util.Collection;31import java.util.List;32import java.util.LinkedList;33import javax.security.auth.x500.X500Principal;34import java.security.GeneralSecurityException;35import java.security.cert.*;3637public class DetectInvalidEncoding {3839// Originally found in the test file:40// java/security/cert/CertificateFactory/invalidEncodedCerts/invalidcert.pem41// The first character of the PEM encoding has been changed from "M" to42// "X" to force a failure during decoding.43private static final String INVALID_CERT =44"-----BEGIN CERTIFICATE-----\n" +45"XIICJjCCAdCgAwIBAgIBITANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCVVMx\n" +46"EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xFTAT\n" +47"BgNVBAoTDEJFQSBXZWJMb2dpYzERMA8GA1UECxMIU2VjdXJpdHkxIzAhBgNVBAMT\n" +48"GkRlbW8gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR4wHAYJKoZIhvcNAQkBFg9zdXBw\n" +49"b3J0QGJlYS5jb20wHhcNMDAwNTMwMjEzODAxWhcNMDQwNTEzMjEzODAxWjCBjDEL\n" +50"MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG\n" +51"cmFuY2lzY28xFTATBgNVBAoTDEJFQSBXZWJMb2dpYzEZMBcGA1UEAxMQd2VibG9n\n" +52"aWMuYmVhLmNvbTEeMBwGCSqGSIb3DQEJARYPc3VwcG9ydEBiZWEuY29tMFwwDQYJ\n" +53"KoZIhvcNAQEBBQADSwAwSAJBALdsXEHqKHgs6zj0hU5sXMAUHzoT8kgWXmNkKHXH\n" +54"79qbPh6EfdlriW9G/AbRF/pKrCQu7hhllAxREbqTuSlf2EMCAwEAATANBgkqhkiG\n" +55"9w0BAQQFAANBACgmqflL5m5LNeJGpWx9aIoABCiuDcpw1fFyegsqGX7CBhffcruS\n" +56"1p8h5vkHVbMu1frD1UgGnPlOO/K7Ig/KrsU=\n" +57"-----END CERTIFICATE-----";5859// Created with keytool:60// keytool -genkeypair -keyalg rsa -keysize 2048 -keystore <KS_FILE>61// -alias root -sigalg SHA256withRSA -dname "CN=Root, O=SomeCompany"62// -validity 730 -ext bc:critical=ca:true63// -ext ku:critical=keyCertSign,cRLSign64private static final String SINGLE_ROOT_CERT =65"-----BEGIN CERTIFICATE-----\n" +66"MIIDCjCCAfKgAwIBAgIEDUiw+DANBgkqhkiG9w0BAQsFADAlMRQwEgYDVQQKEwtT\n" +67"b21lQ29tcGFueTENMAsGA1UEAxMEUm9vdDAeFw0xNDA4MjgyMTI5MjZaFw0xNjA4\n" +68"MjcyMTI5MjZaMCUxFDASBgNVBAoTC1NvbWVDb21wYW55MQ0wCwYDVQQDEwRSb290\n" +69"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VFecSNdH6CJhPOSG127\n" +70"tuvld4y7GGJ0kQf3Q0b8qgprsXAmn0/bQR+YX7PfS408cFW+q2SWXeY2kC/3chvi\n" +71"2syMsGdUJrDzuMbYsbvKPKyuJ2GJskX3mSbLMJj5Tzhg4qmwbzDTFIJ51yGa1Wmh\n" +72"i2+4PhltqT0TohvSVJlBrOWNhmvwv5UWsF4e2i04rebDZQoWkmD3MpImZXF/HYre\n" +73"9P8NP97vN0xZmh5PySHy2ILXN3ZhTn3tq0YxNSQTaMUfhgoyzWFvZKAnm/tZIh/1\n" +74"oswwEQPIZJ25AUTm9r3YPQXl1hsNdLU0asEVYRsgzGSTX5gCuUY+KzhStzisOcUY\n" +75"uQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +76"HQ4EFgQUz1FBNixG/KCgcn6FOWzxP1hujG0wDQYJKoZIhvcNAQELBQADggEBAL60\n" +77"ZaNc6eIMbKntGVE/pdxxyKwPdDyAAeEevX23KRWoLbQjHXo5jrfDPhI5k45ztlyU\n" +78"+tIQbc81LlCl88I4dIx0fvEbxjNaAYhFNXwwSQBs2CuEAdRK8hodXbRcEeI+G10F\n" +79"ARIVs2C7JNm/RhxskCWgj6tFIOGaTZ9gHyvlQUEM18sr5fXZlXTqspZCmz3t5XPi\n" +80"5/wYLv6vk7k3G8WzMHbBE0bYI+61cCc8rbMHldtymbwSwiqfKC9y7oPEfRCbzVUe\n" +81"fgrKcOyVWDuw0y0hhsQL/oONjPp4uK/bl9B7T84t4+ihxdocWKx6eyhFvOvZH9t2\n" +82"kUylb9yBUYStwGExMHg=\n" +83"-----END CERTIFICATE-----";8485// Created with keytool:86// keytool -genkeypair -keyalg rsa -keysize 2048 -keystore <KS_FILE>87// -alias root -sigalg SHA256withRSA88// -dname "CN=Intermed, O=SomeCompany" -validity 73089// -ext bc:critical=ca:true -ext ku:critical=keyCertSign,cRLSign90// keytool -certreq -keystore <KS_FILE> -sigalg SHA256withRSA91// -alias intermed -dname "CN=Intermed, O=SomeCompany"92// keytool -gencert -keystore <KS_FILE> -alias intermed93// -sigalg SHA256withRSA -validity 73094// -ext bc:critical=ca:true -ext ku:critical=keyCertSign,cRLSign95private static final String INTERMED_CA_CERT =96"-----BEGIN CERTIFICATE-----\n" +97"MIIDLzCCAhegAwIBAgIEIIgOyDANBgkqhkiG9w0BAQsFADAlMRQwEgYDVQQKEwtT\n" +98"b21lQ29tcGFueTENMAsGA1UEAxMEUm9vdDAeFw0xNDA4MjgyMjUyNDJaFw0xNjA4\n" +99"MDcyMjUyNDJaMCkxFDASBgNVBAoTC1NvbWVDb21wYW55MREwDwYDVQQDEwhJbnRl\n" +100"cm1lZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJEecvTWla8kdWx+\n" +101"HHu5ryfBpJ95I7V4MEajnmzJVZcwvKhDjlDgABDMuVwFEUUSyeOdbWJF3DLKnyMD\n" +102"KTx6/58kuVak3NX2TJ8cmmIlKf1upFbdrEtjYViSnNrApprfO8B3ORdBbO6QDYza\n" +103"IkAWdI5GllFnVkb4yhMUBg3zfhglF+bl3D3lVRlp9bCrUZoNRs+mZjhVbcMn22ej\n" +104"TfG5Y3VpNM4SN8dFIxPQLLk/aao+cmWEQdbQ0R6ydemRukqrw170olSVLeoGGala\n" +105"3D4oJckde8EgNPcghcsdQ6tpGhkpFhmoyzEsuToR7Gq9UT5V2kkqJneiKXqQg4wz\n" +106"vMAlUGECAwEAAaNjMGEwHwYDVR0jBBgwFoAUOw+92bevFoJz96pR1DrAkPPUKb0w\n" +107"DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLbnErBs\n" +108"q/Mhci5XElfjjLZp3GRyMA0GCSqGSIb3DQEBCwUAA4IBAQAq8y2DpkSV31IXZ1vr\n" +109"/Ye+Nj/2NvBydFeHVRGMAN1LJv6/Q42TCSXbr6cDQ4NWQUtPm90yZBYJSznkbShx\n" +110"HOJEE6R8PRJvoUtMm7fJrNtkybTt6jX4j50Lw8gdYB/rgZb4z8ZQZVEo/0zpW4HV\n" +111"Gs+q4z8TkdmLR18hl39sUEsxt99AOBk8NtKKVNfBWq9b0QDhRkXfmqhyeXdDsHOV\n" +112"8ksulsa7hseheHhdjziEOpQugh8qzSea2kFPrLB53VjWfa4qDzEPaNhahho9piCu\n" +113"82XDnOrcEk9KyHWM7sa7vtK7++W+0MXD/p9nkZ6NHrJXweLriU0DXO6ZY3mzNKJK\n" +114"435M\n" +115"-----END CERTIFICATE-----";116117// Subordinate cert created using keytool, both certs exported to118// files individually, then use openssl to place in a PKCS#7:119// openssl crl2pkcs7 -nocrl -certfile <INTERMED-CERT-PEM>120// -certfile <ROOT-CERT-PEM> -out <P7-DEST-PEM-FILE>121private static final String PKCS7_INTERMED_ROOT_CERTS =122"-----BEGIN PKCS7-----\n" +123"MIIGbgYJKoZIhvcNAQcCoIIGXzCCBlsCAQExADALBgkqhkiG9w0BBwGgggZBMIID\n" +124"LzCCAhegAwIBAgIEIIgOyDANBgkqhkiG9w0BAQsFADAlMRQwEgYDVQQKEwtTb21l\n" +125"Q29tcGFueTENMAsGA1UEAxMEUm9vdDAeFw0xNDA4MjgyMjUyNDJaFw0xNjA4MDcy\n" +126"MjUyNDJaMCkxFDASBgNVBAoTC1NvbWVDb21wYW55MREwDwYDVQQDEwhJbnRlcm1l\n" +127"ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJEecvTWla8kdWx+HHu5\n" +128"ryfBpJ95I7V4MEajnmzJVZcwvKhDjlDgABDMuVwFEUUSyeOdbWJF3DLKnyMDKTx6\n" +129"/58kuVak3NX2TJ8cmmIlKf1upFbdrEtjYViSnNrApprfO8B3ORdBbO6QDYzaIkAW\n" +130"dI5GllFnVkb4yhMUBg3zfhglF+bl3D3lVRlp9bCrUZoNRs+mZjhVbcMn22ejTfG5\n" +131"Y3VpNM4SN8dFIxPQLLk/aao+cmWEQdbQ0R6ydemRukqrw170olSVLeoGGala3D4o\n" +132"Jckde8EgNPcghcsdQ6tpGhkpFhmoyzEsuToR7Gq9UT5V2kkqJneiKXqQg4wzvMAl\n" +133"UGECAwEAAaNjMGEwHwYDVR0jBBgwFoAUOw+92bevFoJz96pR1DrAkPPUKb0wDwYD\n" +134"VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFLbnErBsq/Mh\n" +135"ci5XElfjjLZp3GRyMA0GCSqGSIb3DQEBCwUAA4IBAQAq8y2DpkSV31IXZ1vr/Ye+\n" +136"Nj/2NvBydFeHVRGMAN1LJv6/Q42TCSXbr6cDQ4NWQUtPm90yZBYJSznkbShxHOJE\n" +137"E6R8PRJvoUtMm7fJrNtkybTt6jX4j50Lw8gdYB/rgZb4z8ZQZVEo/0zpW4HVGs+q\n" +138"4z8TkdmLR18hl39sUEsxt99AOBk8NtKKVNfBWq9b0QDhRkXfmqhyeXdDsHOV8ksu\n" +139"lsa7hseheHhdjziEOpQugh8qzSea2kFPrLB53VjWfa4qDzEPaNhahho9piCu82XD\n" +140"nOrcEk9KyHWM7sa7vtK7++W+0MXD/p9nkZ6NHrJXweLriU0DXO6ZY3mzNKJK435M\n" +141"MIIDCjCCAfKgAwIBAgIEdffjKTANBgkqhkiG9w0BAQsFADAlMRQwEgYDVQQKEwtT\n" +142"b21lQ29tcGFueTENMAsGA1UEAxMEUm9vdDAeFw0xNDA4MjgyMjQ2MzZaFw0xNjA4\n" +143"MjcyMjQ2MzZaMCUxFDASBgNVBAoTC1NvbWVDb21wYW55MQ0wCwYDVQQDEwRSb290\n" +144"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhnXc8Avv54Gk2xjVa2yA\n" +145"lBL/Cug1nyvKl5wqmN+foT6cMOX6bneCkJOJ4lSbch3gvl4ctlX/9hm3pB/+HhSr\n" +146"em2NcLQrLEq8l9Ar4RnqfoXQR4Uy+4P6wj9OcVV7e/v/+ZPnStOoEAtb5nAwsR2b\n" +147"hOC/tIFNwflrsmsmtMSoOiNftpYLFF4eOAdpDrXYMrqNu6ZxZsOQ7WZl4SsVOx1N\n" +148"/IINXwBLyoHJDzLZ0iJEV0O6mh846s0n6QXeK1P5d0uLcoZaZ1k8Q4sRcdoLA6rS\n" +149"e1WffipBFMvIuoDIigkHZIKVYRLG828rO+PFnRah0ybybkVsN6s3oLxfhswZDvut\n" +150"OwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +151"HQ4EFgQUOw+92bevFoJz96pR1DrAkPPUKb0wDQYJKoZIhvcNAQELBQADggEBACBN\n" +152"wEaV70FKKBINHtNwesd7TB6fgSaVgDZOO08aseHbXnm7AUhtDV3P5rQR2AsKtbg4\n" +153"COhlKw2/Ki18D4DfdCccFKFTRZBjqj2PxNmn6C68l1/bT4PuUXuM7rW++53RcOA7\n" +154"TbgLuzA25kSz7XinRvR8L4VwHtppu5tSYEthMIMgLZLGGV9r7kBfpY8lXdxQM8vb\n" +155"xZUIysasvVtVUFPOTV6g2dfn8QCoqLOmxyzTLdXe4M6acP6f7lmhgr3LMqDtB6K9\n" +156"pN+OImr77zNdZ+jTB+5e9a8gAvc5ZfG7Nk5RfwUatYTAFZ6Uggy2cKmIRpXCia18\n" +157"If78mc7goS1+lHkGCs2hADEA\n" +158"-----END PKCS7-----";159160// Empty PKCS#7 in DER form can be created with openssl:161// openssl crl2pkcs7 -nocrl -outform DER162private static final byte[] PKCS7_BER_EMPTY = {16348, 39, 6, 9, 42, -122, 72, -122,164-9, 13, 1, 7, 2, -96, 26, 48,16524, 2, 1, 1, 49, 0, 48, 11,1666, 9, 42, -122, 72, -122, -9, 13,1671, 7, 1, -96, 0, -95, 0, 49,1680169};170171private static final String JTEST_ROOT_CRL =172"-----BEGIN X509 CRL-----\n" +173"MIICoTCBigIBATANBgkqhkiG9w0BAQsFADA1MQ4wDAYDVQQKEwVKVGVzdDELMAkG\n" +174"A1UECxMCSVQxFjAUBgNVBAMTDUpUZXN0IFJvb3QgQ0EXDTE0MDkwNDE4NDIyMVqg\n" +175"MDAuMB8GA1UdIwQYMBaAFO6bllCV6kctH77MfqAtefNeRdsmMAsGA1UdFAQEAgIA\n" +176"jjANBgkqhkiG9w0BAQsFAAOCAgEAmp8ihtiRthknDC+VzehmlQw5u8MftMZYQYk5\n" +177"EI04SwyzY9JTL8QHb4u7fXjnZAyN89aYPypI5OSyDsyyGP/JDNsBt2Um/fl0aaCl\n" +178"Z4Np6x+dB9+oIU1XY7y2+uyQUC5MHivQ5ddbGPoAvK/msbugTGAjHvZpM+l0okiV\n" +179"3SofDrii5BSosFEkXfkf2oG9ZLO3YamsFMEZaOj/eWDyGhTyJMGsq2/8NeTF21Tp\n" +180"YkeDcTHqR5KHoYXjOIaS7NjmErm+uDpKH9Lq+JUcYrbUhmjnq5z04EsPF2F2L7Vb\n" +181"THI+awQAUQit16lXGuz7fFRZi2vPyiaRP5n2QT5D+ac1dAs+oWLDJw6Tf2v9KVTe\n" +182"OmW62yd6zQqCwBg+n57UcNu3sv/Sq3t7iRuN0AmWlIhu659POPQv7Np6bEo6dIpp\n" +183"u7Ze6D2KPtM177ETHYlCx2a3g9VEZYKrVhQ2749St0Cp5szVq691jFZAWYOzcfEO\n" +184"XfK1y25pmlBjvhNIIVRlU+T5rjNb8GaleYKVYnKOcv700K32QxFzcPf7nbNKwW99\n" +185"tcaNHFNP+LW/XP8I3CJ8toXLLcOITKVwMA+0GlO5eL7eX5POc+vE9+7IzGuybmU4\n" +186"uslxoLdJ0NSZWpYmf6a6qrJ67cj5i3706H+eBsWQcShfSYreh+TyWQaGk+fkEiUV\n" +187"iy4QdJ0=\n" +188"-----END X509 CRL-----";189190private static final String JTEST_INTERMED_CRL =191"-----BEGIN X509 CRL-----\n" +192"MIICzzCBuAIBATANBgkqhkiG9w0BAQsFADA/MQ4wDAYDVQQKEwVKVGVzdDELMAkG\n" +193"A1UECxMCSVQxIDAeBgNVBAMTF0pUZXN0IEludGVybWVkaWF0ZSBDQSAxFw0xNDA5\n" +194"MDQyMjE2NTRaMCIwIAIBBhcNMTQwOTA0MjIxNjU0WjAMMAoGA1UdFQQDCgEFoDAw\n" +195"LjAfBgNVHSMEGDAWgBSvRdjbkSMJ3A7s5H6EWghQ+lkw/zALBgNVHRQEBAICAJsw\n" +196"DQYJKoZIhvcNAQELBQADggIBALJmikMwil8oywhenoO8o9xxCOIU0xrt3KdfiSXw\n" +197"8MtQXZHT9d1C6tlLAsYkWAfmfTvM2OU6wquFCLLsFmDZszbbCqmn4JhYBSKQMqlm\n" +198"IHnsiOFPvITW2FU08fWNLM+FtQzPnTFmx/CJo+wfGpq5tZMIbsccsCJ5uvZVAWGh\n" +199"0KbPmYcJG/O384+kzr/2H2IaoZoMMABec5c5FEF/tpp8jawzY+0VFyaVrumKWdan\n" +200"+3OvRQxT1wLxfNi2vdxB2rmNPo423qanXZAoVv260um3LYlmXBNK1jwQ9lp78jkT\n" +201"B7zMVa4hOUWVxdWc/LE6fUYgPsNqZd+hWy/PolIRp5TS21B5hkc5K87LT59GkexK\n" +202"vNVKQennOLGtH+Q7htK4UeY4Gm/W7UydOQ0k7hZzyfMDkCfLfNfK0l63qKwUku36\n" +203"UdeI1LXqulPEvb/d7rRAAM9p5Sm+RsECj2bcrZBMdIGXcSo26A5tzZpTEC79i4S1\n" +204"yxYIooeBnouUkDJ9+VBsJTSKY5fpU8JSkQPRyHKt+trGAkBt2Ka5MqrHtITzQ1vP\n" +205"5q4tNr45JGEXllH83NlBpWURfsdtkDHa3lxTD/pkrywOCyzz7wQ22D8Kul7EN8nT\n" +206"7LDbN+O3G9GHICxvWlJHp6HMsqGTuH1MIUR+5uZFOJa1S0IzorUIEieLncDUPgzO\n" +207"M4JA\n" +208"-----END X509 CRL-----";209210// PKCS#7 CRL Set containing JTEST root and intermediate CRLs211private static final String PKCS7_CRL_SET =212"-----BEGIN PKCS7-----\n" +213"MIIFpQYJKoZIhvcNAQcCoIIFljCCBZICAQExADALBgkqhkiG9w0BBwGgAKGCBXgw\n" +214"ggKhMIGKAgEBMA0GCSqGSIb3DQEBCwUAMDUxDjAMBgNVBAoTBUpUZXN0MQswCQYD\n" +215"VQQLEwJJVDEWMBQGA1UEAxMNSlRlc3QgUm9vdCBDQRcNMTQwOTA0MTg0MjIxWqAw\n" +216"MC4wHwYDVR0jBBgwFoAU7puWUJXqRy0fvsx+oC15815F2yYwCwYDVR0UBAQCAgCO\n" +217"MA0GCSqGSIb3DQEBCwUAA4ICAQCanyKG2JG2GScML5XN6GaVDDm7wx+0xlhBiTkQ\n" +218"jThLDLNj0lMvxAdvi7t9eOdkDI3z1pg/Kkjk5LIOzLIY/8kM2wG3ZSb9+XRpoKVn\n" +219"g2nrH50H36ghTVdjvLb67JBQLkweK9Dl11sY+gC8r+axu6BMYCMe9mkz6XSiSJXd\n" +220"Kh8OuKLkFKiwUSRd+R/agb1ks7dhqawUwRlo6P95YPIaFPIkwayrb/w15MXbVOli\n" +221"R4NxMepHkoehheM4hpLs2OYSub64Okof0ur4lRxittSGaOernPTgSw8XYXYvtVtM\n" +222"cj5rBABRCK3XqVca7Pt8VFmLa8/KJpE/mfZBPkP5pzV0Cz6hYsMnDpN/a/0pVN46\n" +223"ZbrbJ3rNCoLAGD6fntRw27ey/9Kre3uJG43QCZaUiG7rn0849C/s2npsSjp0imm7\n" +224"tl7oPYo+0zXvsRMdiULHZreD1URlgqtWFDbvj1K3QKnmzNWrr3WMVkBZg7Nx8Q5d\n" +225"8rXLbmmaUGO+E0ghVGVT5PmuM1vwZqV5gpVico5y/vTQrfZDEXNw9/uds0rBb321\n" +226"xo0cU0/4tb9c/wjcIny2hcstw4hMpXAwD7QaU7l4vt5fk85z68T37sjMa7JuZTi6\n" +227"yXGgt0nQ1JlaliZ/prqqsnrtyPmLfvTof54GxZBxKF9Jit6H5PJZBoaT5+QSJRWL\n" +228"LhB0nTCCAs8wgbgCAQEwDQYJKoZIhvcNAQELBQAwPzEOMAwGA1UEChMFSlRlc3Qx\n" +229"CzAJBgNVBAsTAklUMSAwHgYDVQQDExdKVGVzdCBJbnRlcm1lZGlhdGUgQ0EgMRcN\n" +230"MTQwOTA0MjIxNjU0WjAiMCACAQYXDTE0MDkwNDIyMTY1NFowDDAKBgNVHRUEAwoB\n" +231"BaAwMC4wHwYDVR0jBBgwFoAUr0XY25EjCdwO7OR+hFoIUPpZMP8wCwYDVR0UBAQC\n" +232"AgCbMA0GCSqGSIb3DQEBCwUAA4ICAQCyZopDMIpfKMsIXp6DvKPccQjiFNMa7dyn\n" +233"X4kl8PDLUF2R0/XdQurZSwLGJFgH5n07zNjlOsKrhQiy7BZg2bM22wqpp+CYWAUi\n" +234"kDKpZiB57IjhT7yE1thVNPH1jSzPhbUMz50xZsfwiaPsHxqaubWTCG7HHLAiebr2\n" +235"VQFhodCmz5mHCRvzt/OPpM6/9h9iGqGaDDAAXnOXORRBf7aafI2sM2PtFRcmla7p\n" +236"ilnWp/tzr0UMU9cC8XzYtr3cQdq5jT6ONt6mp12QKFb9utLpty2JZlwTStY8EPZa\n" +237"e/I5Ewe8zFWuITlFlcXVnPyxOn1GID7DamXfoVsvz6JSEaeU0ttQeYZHOSvOy0+f\n" +238"RpHsSrzVSkHp5zixrR/kO4bSuFHmOBpv1u1MnTkNJO4Wc8nzA5Any3zXytJet6is\n" +239"FJLt+lHXiNS16rpTxL2/3e60QADPaeUpvkbBAo9m3K2QTHSBl3EqNugObc2aUxAu\n" +240"/YuEtcsWCKKHgZ6LlJAyfflQbCU0imOX6VPCUpED0chyrfraxgJAbdimuTKqx7SE\n" +241"80Nbz+auLTa+OSRhF5ZR/NzZQaVlEX7HbZAx2t5cUw/6ZK8sDgss8+8ENtg/Crpe\n" +242"xDfJ0+yw2zfjtxvRhyAsb1pSR6ehzLKhk7h9TCFEfubmRTiWtUtCM6K1CBIni53A\n" +243"1D4MzjOCQDEA\n" +244"-----END PKCS7-----";245246public static void main(String[] args) throws Exception {247CertificateFactory cf = CertificateFactory.getInstance("X.509");248List<DecodeTest> validTests = new LinkedList<>();249List<DecodeTest> invalidTests = new LinkedList<>();250251// Load up positive test cases (for sanity checks)252StringBuilder sb = new StringBuilder();253254validTests.add(new GenMultiCertTest("Single, valid certificate",255SINGLE_ROOT_CERT.getBytes(), null,256new X500Principal("CN=Root, O=SomeCompany")));257validTests.add(new GenMultiCertTest("PEM-encoded PKCS#7 chain",258PKCS7_INTERMED_ROOT_CERTS.getBytes(), null,259new X500Principal("CN=Intermed, O=SomeCompany"),260new X500Principal("CN=Root, O=SomeCompany")));261validTests.add(new GenMultiCertTest("Two PEM-encoded X509 certs",262(INTERMED_CA_CERT + "\n" + SINGLE_ROOT_CERT).getBytes(),263null,264new X500Principal("CN=Intermed, O=SomeCompany"),265new X500Principal("CN=Root, O=SomeCompany")));266validTests.add(new GenMultiCertTest("Empty data", new byte[0], null));267268sb.append("Certificate 1: CN=Root, O=SomeCompany\n");269sb.append(SINGLE_ROOT_CERT).append("\n");270sb.append("Certificate 2: CN=Intermed, O=SomeCompany\n");271sb.append(INTERMED_CA_CERT).append("\n");272sb.append("Extra trailing data\n");273validTests.add(new GenMultiCertTest(274"Two PEM-encoded certs with leading/trailing " +275"text data around each.", sb.toString().getBytes(), null,276new X500Principal("CN=Root, O=SomeCompany"),277new X500Principal("CN=Intermed, O=SomeCompany")));278validTests.add(new GenMultiCertTest(279"BER-encoded PKCS#7 with empty certificates segment",280PKCS7_BER_EMPTY, null));281validTests.add(new GenMultiCRLTest(282"CRL with leading and trailing text data",283("This is a CRL\n" + JTEST_ROOT_CRL +284"\nSee? Told you so\n\n").getBytes(), null,285new X500Principal("CN=JTest Root CA,OU=IT,O=JTest")));286validTests.add(new GenMultiCRLTest(287"Two CRLs, one after the other with leading/trailing text",288("This is a CRL\n" + JTEST_ROOT_CRL +289"\nAnd this is another CRL\n" + JTEST_INTERMED_CRL +290"\nAnd this is trailing text\n").getBytes(), null,291new X500Principal("CN=JTest Root CA,OU=IT,O=JTest"),292new X500Principal(293"CN=JTest Intermediate CA 1,OU=IT,O=JTest")));294validTests.add(new GenMultiCRLTest("Two CRLs in a PKCS#7 CRL set",295PKCS7_CRL_SET.getBytes(), null,296new X500Principal("CN=JTest Root CA,OU=IT,O=JTest"),297new X500Principal("CN=JTest Intermediate CA 1,OU=IT,O=JTest")));298299// Load up all test cases where we expect failures300invalidTests.add(new GenSingleCertTest("Invalid PEM encoding",301INVALID_CERT.getBytes(),302new CertificateParsingException()));303invalidTests.add(new GenMultiCertTest("Invalid PEM encoding",304INVALID_CERT.getBytes(),305new CertificateParsingException()));306invalidTests.add(new GenMultiCertTest(307"Two cert sequence, one valid and one invalid",308(INTERMED_CA_CERT + "\n" + INVALID_CERT).getBytes(),309new CertificateParsingException()));310invalidTests.add(new GenMultiCertTest("Non-certificate text",311"This is not a certificate".getBytes(),312new CertificateException()));313invalidTests.add(new GenMultiCertTest(314"Non-certificate text with partial PEM header (4 hyphens)",315"----This is not a valid x509 certificate".getBytes(),316new CertificateException()));317invalidTests.add(new GenMultiCertTest(318"Leading non-certificate text plus valid PEM header, " +319"but not on new line",320"This is not valid -----BEGIN CERTIFICATE-----".getBytes(),321new CertificateException()));322byte[] emptyCString = {0};323invalidTests.add(new GenMultiCertTest("Empty C-style string",324emptyCString, new CertificateException()));325invalidTests.add(new GenMultiCRLTest("Non-CRL text",326"This is not a CRL".getBytes(), new CRLException()));327invalidTests.add(new GenMultiCRLTest("Valid headers, but not a CRL",328INTERMED_CA_CERT.getBytes(), new CRLException()));329330System.out.println("===== Valid Tests =====");331for (DecodeTest dt : validTests) {332dt.passTest();333}334System.out.print("\n");335336System.out.println("===== Invalid Tests =====");337for (DecodeTest dt : invalidTests) {338dt.failTest();339}340}341342public static abstract class DecodeTest {343protected String testName;344protected byte[] testData;345protected Throwable expectedException;346protected X500Principal[] principals;347protected CertificateFactory cf;348349/**350* Construct a DecodeTest351*352* @param name The test name353* @param input A byte array consisting of the input for this test354* @param failType An exception whose class should match the expected355* exception that will be thrown when this test is run356* @param princs Zero of more X500Principals which will be used357* to compare the output in a success case.358*/359DecodeTest(String name, byte[] input, Throwable failType,360X500Principal... princs) throws CertificateException {361testName = name;362testData = input.clone();363expectedException = failType;364principals = princs;365cf = CertificateFactory.getInstance("X.509");366}367368public abstract void passTest() throws GeneralSecurityException;369370public abstract void failTest() throws GeneralSecurityException;371}372373public static class GenMultiCertTest extends DecodeTest {374public GenMultiCertTest(String name, byte[] input, Throwable failType,375X500Principal... princs) throws CertificateException {376super(name, input, failType, princs);377}378379@Override380public void passTest() throws GeneralSecurityException {381Collection<? extends Certificate> certs;382383System.out.println("generateCertificates(): " + testName);384certs = cf.generateCertificates(new ByteArrayInputStream(testData));385386// Walk the certs Collection and do a comparison of subject names387int i = 0;388if (certs.size() == principals.length) {389for (Certificate crt : certs) {390X509Certificate xc = (X509Certificate)crt;391if (!xc.getSubjectX500Principal().equals(392principals[i])) {393throw new RuntimeException("Name mismatch: " +394"cert: " + xc.getSubjectX500Principal() +395", expected: " + principals[i]);396}397i++;398}399} else {400throw new RuntimeException("Size mismatch: certs = " +401certs.size() + ", expected = " +402principals.length);403}404}405406@Override407public void failTest() throws GeneralSecurityException {408Throwable caughtException = null;409Collection<? extends Certificate> certs = null;410411System.out.println("generateCertificates(): " + testName);412if (expectedException == null) {413throw new RuntimeException("failTest requires non-null " +414"expectedException");415}416417try {418certs =419cf.generateCertificates(new ByteArrayInputStream(testData));420} catch (CertificateException ce) {421caughtException = ce;422}423424if (caughtException != null) {425// It has to be the right kind of exception though...426if (!caughtException.getClass().equals(427expectedException.getClass())) {428System.err.println("Unexpected exception thrown. " +429"Received: " + caughtException + ", Expected: " +430expectedException.getClass());431throw new RuntimeException(caughtException);432}433} else {434// For a failure test, we'd expect some kind of exception435// to be thrown.436throw new RuntimeException("Failed to catch expected " +437"exception " + expectedException.getClass());438}439}440}441442public static class GenSingleCertTest extends DecodeTest {443public GenSingleCertTest(String name, byte[] input, Throwable failType,444X500Principal... princs) throws CertificateException {445super(name, input, failType, princs);446}447448@Override449public void passTest() throws GeneralSecurityException {450X509Certificate cert;451452System.out.println("generateCertificate(): " + testName);453cert = (X509Certificate)cf.generateCertificate(454new ByteArrayInputStream(testData));455456// Compare the cert's subject name against the expected value457// provided in the test. If multiple X500Principals were provided458// just use the first one as the expected value.459if (!cert.getSubjectX500Principal().equals(principals[0])) {460throw new RuntimeException("Name mismatch: " +461"cert: " + cert.getSubjectX500Principal() +462", expected: " + principals[0]);463}464}465466@Override467public void failTest() throws GeneralSecurityException {468Throwable caughtException = null;469X509Certificate cert = null;470System.out.println("generateCertificate(): " + testName);471472if (expectedException == null) {473throw new RuntimeException("failTest requires non-null " +474"expectedException");475}476477try {478cert = (X509Certificate)cf.generateCertificate(479new ByteArrayInputStream(testData));480} catch (CertificateException e) {481caughtException = e;482}483484if (caughtException != null) {485// It has to be the right kind of exception though...486if (!caughtException.getClass().equals(487expectedException.getClass())) {488System.err.println("Unexpected exception thrown. " +489"Received: " + caughtException + ", Expected: " +490expectedException.getClass());491throw new RuntimeException(caughtException);492}493} else {494// For a failure test, we'd expect some kind of exception495// to be thrown.496throw new RuntimeException("Failed to catch expected " +497"exception " + expectedException.getClass());498}499}500}501502public static class GenMultiCRLTest extends DecodeTest {503public GenMultiCRLTest(String name, byte[] input, Throwable failType,504X500Principal... princs) throws CertificateException {505super(name, input, failType, princs);506}507508@Override509public void passTest() throws GeneralSecurityException {510Collection<? extends CRL> crls;511512System.out.println("generateCRLs(): " + testName);513crls = cf.generateCRLs(new ByteArrayInputStream(testData));514515// Walk the crls Collection and do a comparison of issuer names516int i = 0;517if (crls.size() == principals.length) {518for (CRL revlist : crls) {519X509CRL xc = (X509CRL)revlist;520if (!xc.getIssuerX500Principal().equals(principals[i])) {521throw new RuntimeException("Name mismatch: " +522"CRL: " + xc.getIssuerX500Principal() +523", expected: " + principals[i]);524}525i++;526}527} else {528throw new RuntimeException("Size mismatch: crls = " +529crls.size() + ", expected = " +530principals.length);531}532}533534@Override535public void failTest() throws GeneralSecurityException {536Throwable caughtException = null;537Collection<? extends CRL> crls = null;538539System.out.println("generateCRLs(): " + testName);540if (expectedException == null) {541throw new RuntimeException("failTest requires non-null " +542"expectedException");543}544545try {546crls =547cf.generateCRLs(new ByteArrayInputStream(testData));548} catch (CRLException e) {549caughtException = e;550}551552if (caughtException != null) {553// It has to be the right kind of exception though...554if (!caughtException.getClass().equals(555expectedException.getClass())) {556System.err.println("Unexpected exception thrown. " +557"Received: " + caughtException + ", Expected: " +558expectedException.getClass());559throw new RuntimeException(caughtException);560}561} else {562// For a failure test, we'd expect some kind of exception563// to be thrown.564throw new RuntimeException("Failed to catch expected " +565"exception " + expectedException.getClass());566}567}568}569}570571572