1/* 2 * Copyright (c) 2004, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24// 25// Security properties, once set, cannot revert to unset. To avoid 26// conflicts with tests running in the same VM isolate this test by 27// running it in otherVM mode. 28// 29 30/** 31 * @test 32 * @bug 5072953 33 * @summary Verify that the URL for an OCSP responder can be extracted from a 34 * certificate's AuthorityInfoAccess extension when OCSP certifiate 35 * validation has been enabled. 36 * @run main/othervm AIACheck 37 */ 38 39import java.io.*; 40import java.net.*; 41import java.util.*; 42import java.security.Security; 43import java.security.cert.*; 44 45public class AIACheck { 46 47 private final static File baseDir = 48 new File(System.getProperty("test.src", ".")); 49 50 private static X509Certificate loadCertificate(String name) 51 throws Exception 52 { 53 File certFile = new File(baseDir, name); 54 InputStream in = new FileInputStream(certFile); 55 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 56 X509Certificate cert = (X509Certificate)cf.generateCertificate(in); 57 return cert; 58 } 59 60 public static void main(String args[]) throws Exception { 61 // MD5 is used in this test case, don't disable MD5 algorithm. 62 Security.setProperty( 63 "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); 64 65 X509Certificate aiaCert = loadCertificate("AIACert.pem"); 66 X509Certificate rootCert = loadCertificate("RootCert.pem"); 67 68 List<X509Certificate> list = 69 //Arrays.asList(new X509Certificate[] {aiaCert, rootCert}); 70 Arrays.asList(new X509Certificate[] {aiaCert}); 71 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 72 CertPath path = cf.generateCertPath(list); 73 74 TrustAnchor anchor = new TrustAnchor(rootCert, null); 75 Set<TrustAnchor> anchors = Collections.singleton(anchor); 76 77 PKIXParameters params = new PKIXParameters(anchors); 78 // Activate certificate revocation checking 79 params.setRevocationEnabled(true); 80 81 // Activate OCSP 82 Security.setProperty("ocsp.enable", "true"); 83 84 // Ensure that the ocsp.responderURL property is not set. 85 if (Security.getProperty("ocsp.responderURL") != null) { 86 throw new 87 Exception("The ocsp.responderURL property must not be set"); 88 } 89 90 CertPathValidator validator = CertPathValidator.getInstance("PKIX"); 91 92 try { 93 validator.validate(path, params); 94 throw new Exception("Successfully validated an invalid path"); 95 96 } catch (CertPathValidatorException e ) { 97 Throwable rootCause = e.getCause(); 98 if (!(rootCause instanceof SocketException || 99 rootCause instanceof SocketTimeoutException)) { 100 throw e; 101 } 102 103 // Success - client located OCSP responder in AIA extension 104 // and attempted to connect. 105 System.out.println("Extracted the URL of the OCSP responder from " + 106 "the certificate's AuthorityInfoAccess extension."); 107 } 108 } 109} 110