Path: blob/master/test/jdk/sun/security/lib/CheckBlockedCerts.java
41149 views
/*1* Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 8011402 8211969 823799526* @summary Move blacklisting certificate logic from hard code to data27* @modules java.base/sun.security.util28*/2930import sun.security.util.UntrustedCertificates;3132import java.io.*;33import java.security.KeyStore;34import java.security.cert.*;35import java.util.*;3637public class CheckBlockedCerts {38public static void main(String[] args) throws Exception {3940String home = System.getProperty("java.home");41boolean failed = false;4243// Root CAs should always be trusted44File file = new File(home, "lib/security/cacerts");45KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());46try (FileInputStream fis = new FileInputStream(file)) {47ks.load(fis, null);48}49System.out.println("Check for cacerts: " + ks.size());50for (String alias: Collections.list(ks.aliases())) {51X509Certificate cert = (X509Certificate)ks.getCertificate(alias);52if (UntrustedCertificates.isUntrusted(cert)) {53System.out.print(alias + " is untrusted");54failed = true;55}56}5758// All certs in the pem files59Set<Certificate> blocked = new HashSet<>();6061// Assumes the full src is available62File blockedCertsFile = new File(System.getProperty("test.src"),63"../../../../../make/data/blockedcertsconverter/blocked.certs.pem");6465CertificateFactory cf = CertificateFactory.getInstance("X.509");66try (FileInputStream fis = new FileInputStream(blockedCertsFile)) {67Collection<? extends Certificate> certs68= cf.generateCertificates(fis);69System.out.println(certs.size());70for (Certificate c: certs) {71blocked.add(c);72X509Certificate cert = ((X509Certificate)c);73if (!UntrustedCertificates.isUntrusted(cert)) {74System.out.println(cert.getSubjectX500Principal() +75" is trusted");76failed = true;77}78}79}8081// Check the blocked.certs file itself82file = new File(home, "lib/security/blocked.certs");83System.out.print("Check for " + file + ": ");84try (BufferedReader reader = new BufferedReader(85new InputStreamReader(new FileInputStream(file)))) {86int acount = 0;87int ccount = 0;88while (true) {89String line = reader.readLine();90if (line == null) break;91if (line.startsWith("Algorithm")) {92acount++;93} else if (!line.isEmpty() && !line.startsWith("#")) {94ccount++;95}96}97System.out.println(acount + " algs, " + ccount + " certs" );98if (acount != 1) {99System.out.println("There are " + acount + " algorithms");100failed = true;101}102// There are two unique fingerprints for each RSA certificate103if (ccount != blocked.size() * 2104&& !blocked.isEmpty()) {105System.out.println("Wrong blocked.certs size: "106+ ccount + " fingerprints, "107+ blocked.size() + " certs");108failed = true;109}110}111112if (failed) {113throw new Exception("Failed");114}115}116}117118119