Path: blob/master/test/jdk/sun/security/tools/keytool/CheckCertAKID.java
41152 views
/*1* Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 825749726* @summary Check if issuer's SKID is used to establish the AKID for the subject cert27* @library /test/lib28* @modules java.base/sun.security.util29*/3031import jdk.test.lib.SecurityTools;32import jdk.test.lib.process.OutputAnalyzer;3334import java.io.*;35import java.security.KeyStore;36import java.security.cert.X509Certificate;37import java.util.Arrays;38import sun.security.util.DerValue;39import sun.security.util.KnownOIDs;40import static sun.security.util.KnownOIDs.*;4142public class CheckCertAKID {4344static OutputAnalyzer kt(String cmd, String ks) throws Exception {45return SecurityTools.keytool("-storepass changeit " + cmd +46" -keystore " + ks);47}4849public static void main(String[] args) throws Exception {5051System.out.println("Generating a root cert with SubjectKeyIdentifier extension");52kt("-genkeypair -keyalg rsa -alias ca -dname CN=CA -ext bc:c " +53"-ext 2.5.29.14=04:14:00:01:02:03:04:05:06:07:08:09:10:11:12:13:14:15:16:17:18:19",54"ks");5556kt("-exportcert -alias ca -rfc -file root.cert", "ks");5758SecurityTools.keytool("-keystore ks -storepass changeit " +59"-printcert -file root.cert")60.shouldNotContain("AuthorityKeyIdentifier")61.shouldContain("SubjectKeyIdentifier")62.shouldContain("0000: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15")63.shouldContain("0010: 16 17 18 19")64.shouldHaveExitValue(0);6566System.out.println("Generating an end entity cert using issuer CA's SKID as its AKID");67kt("-genkeypair -keyalg rsa -alias e1 -dname CN=E1", "ks");68kt("-certreq -alias e1 -file tmp.req", "ks");69kt("-gencert -alias ca -ext san=dns:e1 -infile tmp.req -outfile tmp.cert ",70"ks");71kt("-importcert -alias e1 -file tmp.cert", "ks");7273byte[] expectedId = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,740x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19};7576KeyStore kstore = KeyStore.getInstance(new File("ks"),77"changeit".toCharArray());78X509Certificate cert = (X509Certificate)kstore.getCertificate("e1");79byte[] authorityKeyIdExt = cert.getExtensionValue(80KnownOIDs.AuthorityKeyID.value());8182byte[] authorityKeyId = null;83if (authorityKeyIdExt == null) {84System.out.println("Failed to get AKID extension from the cert");85System.exit(1);86} else {87try {88authorityKeyId = new DerValue(authorityKeyIdExt).getOctetString();89} catch (IOException e) {90System.out.println("Failed to get AKID encoded OctetString in the cert");91System.exit(1);92}93}9495authorityKeyId = Arrays.copyOfRange(authorityKeyId, 4, authorityKeyId.length);96if (!Arrays.equals(authorityKeyId, expectedId)) {97System.out.println("Failed due to AKID mismatch");98System.exit(1);99}100}101}102103104