FailoverToCRL.java revision 7585:dfb37cc30a67
1/* 2 * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24/** 25 * @test 26 * @bug 6383095 8019259 27 * @summary CRL revoked certificate failures masked by OCSP failures 28 * 29 * Note that the certificate validity is from Mar 16 14:55:35 2009 GMT to 30 * Dec 1 14:55:35 2028 GMT, please update it with newer certificate if 31 * expires. 32 * 33 * @author Xuelei Fan 34 */ 35 36/* 37 * Certificates used in the test. 38 * 39 * end entity certificate: 40 * Data: 41 * Version: 3 (0x2) 42 * Serial Number: 25 (0x19) 43 * Signature Algorithm: md5WithRSAEncryption 44 * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org 45 * Validity 46 * Not Before: Mar 16 14:55:35 2009 GMT 47 * Not After : Dec 1 14:55:35 2028 GMT 48 * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org, OU=SSL-Client, 49 * CN=localhost 50 * Subject Public Key Info: 51 * Public Key Algorithm: rsaEncryption 52 * RSA Public Key: (1024 bit) 53 * Modulus (1024 bit): 54 * 00:bb:f0:40:36:ac:26:54:4e:f4:a3:5a:00:2f:69: 55 * 21:6f:b9:7a:3a:93:ec:a2:f6:e1:8e:c7:63:d8:2f: 56 * 12:30:99:2e:b0:f2:8f:f8:27:2d:24:78:28:84:f7: 57 * 01:bf:8d:44:79:dd:3b:d2:55:f3:ce:3c:b2:5b:21: 58 * 7d:ef:fd:33:4a:b1:a3:ff:c6:c8:9b:b9:0f:7c:41: 59 * 35:97:f9:db:3a:05:60:05:15:af:59:17:92:a3:10: 60 * ad:16:1c:e4:07:53:af:a8:76:a2:56:2a:92:d3:f9: 61 * 28:e0:78:cf:5e:1f:48:ab:5c:19:dd:e1:67:43:ba: 62 * 75:8d:f5:82:ac:43:92:44:1b 63 * Exponent: 65537 (0x10001) 64 * X509v3 extensions: 65 * X509v3 Basic Constraints: 66 * CA:FALSE 67 * X509v3 Key Usage: 68 * Digital Signature, Non Repudiation, Key Encipherment 69 * X509v3 Subject Key Identifier: 70 * CD:BB:C8:85:AA:91:BD:FD:1D:BE:CD:67:7C:FF:B3:E9:4C:A8:22:E6 71 * X509v3 Authority Key Identifier: 72 * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14 73 * Signature Algorithm: md5WithRSAEncryption 74 * 75 * 76 * trusted certificate authority: 77 * Data: 78 * Version: 3 (0x2) 79 * Serial Number: 0 (0x0) 80 * Signature Algorithm: md5WithRSAEncryption 81 * Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org 82 * Validity 83 * Not Before: Dec 8 02:43:36 2008 GMT 84 * Not After : Aug 25 02:43:36 2028 GMT 85 * Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org 86 * Subject Public Key Info: 87 * Public Key Algorithm: rsaEncryption 88 * RSA Public Key: (1024 bit) 89 * Modulus (1024 bit): 90 * 00:cb:c4:38:20:07:be:88:a7:93:b0:a1:43:51:2d: 91 * d7:8e:85:af:54:dd:ad:a2:7b:23:5b:cf:99:13:53: 92 * 99:45:7d:ee:6d:ba:2d:bf:e3:ad:6e:3d:9f:1a:f9: 93 * 03:97:e0:17:55:ae:11:26:57:de:01:29:8e:05:3f: 94 * 21:f7:e7:36:e8:2e:37:d7:48:ac:53:d6:60:0e:c7: 95 * 50:6d:f6:c5:85:f7:8b:a6:c5:91:35:72:3c:94:ee: 96 * f1:17:f0:71:e3:ec:1b:ce:ca:4e:40:42:b0:6d:ee: 97 * 6a:0e:d6:e5:ad:3c:0f:c9:ba:82:4f:78:f8:89:97: 98 * 89:2a:95:12:4c:d8:09:2a:e9 99 * Exponent: 65537 (0x10001) 100 * X509v3 extensions: 101 * X509v3 Subject Key Identifier: 102 * FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14 103 * X509v3 Authority Key Identifier: 104 * keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14 105 * DirName:/C=US/ST=Some-State/L=Some-City/O=Some-Org 106 * X509v3 Basic Constraints: 107 * CA:TRUE 108 * Signature Algorithm: md5WithRSAEncryption 109 * 110 * CRL: 111 * Certificate Revocation List (CRL): 112 * Version 2 (0x1) 113 * Signature Algorithm: md5WithRSAEncryption 114 * Issuer: /C=US/ST=Some-State/L=Some-City/O=Some-Org 115 * Last Update: Mar 16 16:27:14 2009 GMT 116 * Next Update: May 15 16:27:14 2028 GMT 117 * CRL extensions: 118 * X509v3 CRL Number: 119 * 2 120 * Revoked Certificates: 121 * Serial Number: 19 122 * Revocation Date: Mar 16 16:22:08 2009 GMT 123 * CRL entry extensions: 124 * X509v3 CRL Reason Code: 125 * Superseded 126 * Signature Algorithm: md5WithRSAEncryption 127 */ 128 129import java.io.*; 130import java.net.SocketException; 131import java.util.*; 132import java.security.Security; 133import java.security.cert.*; 134import java.security.InvalidAlgorithmParameterException; 135import java.security.cert.CertPathValidatorException.BasicReason; 136 137public class FailoverToCRL { 138 139 static String trusedCertStr = 140 "-----BEGIN CERTIFICATE-----\n" + 141 "MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" + 142 "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" + 143 "EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ\n" + 144 "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" + 145 "dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + 146 "gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX\n" + 147 "4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj\n" + 148 "7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G\n" + 149 "A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ\n" + 150 "hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt\n" + 151 "U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw\n" + 152 "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA\n" + 153 "ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ\n" + 154 "LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P\n" + 155 "6Mvf0r1PNTY2hwTJLJmKtg==\n" + 156 "-----END CERTIFICATE-----"; 157 158 static String targetCertStr = 159 "-----BEGIN CERTIFICATE-----\n" + 160 "MIICizCCAfSgAwIBAgIBGTANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" + 161 "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" + 162 "EwhTb21lLU9yZzAeFw0wOTAzMTYxNDU1MzVaFw0yODEyMDExNDU1MzVaMHIxCzAJ\n" + 163 "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" + 164 "dHkxETAPBgNVBAoTCFNvbWUtT3JnMRMwEQYDVQQLEwpTU0wtQ2xpZW50MRIwEAYD\n" + 165 "VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALvwQDas\n" + 166 "JlRO9KNaAC9pIW+5ejqT7KL24Y7HY9gvEjCZLrDyj/gnLSR4KIT3Ab+NRHndO9JV\n" + 167 "8848slshfe/9M0qxo//GyJu5D3xBNZf52zoFYAUVr1kXkqMQrRYc5AdTr6h2olYq\n" + 168 "ktP5KOB4z14fSKtcGd3hZ0O6dY31gqxDkkQbAgMBAAGjWjBYMAkGA1UdEwQCMAAw\n" + 169 "CwYDVR0PBAQDAgXgMB0GA1UdDgQWBBTNu8iFqpG9/R2+zWd8/7PpTKgi5jAfBgNV\n" + 170 "HSMEGDAWgBT6uVG/TOfZhpgz+efLHvEzSfeoFDANBgkqhkiG9w0BAQQFAAOBgQBv\n" + 171 "p7JjCDOrMBNun46xs4Gz7Y4ygM5VHaFP0oO7369twvRSu0pCuIdZd5OIMPFeRqQw\n" + 172 "PA68ZdhYVR0pG5W7isV+jB+Dfge/IOgOA85sZ/6FlP3PBRW+YMQKKdRr5So3ook9\n" + 173 "PimQ7rbxRAofPECv20IUKFBbOUkU+gFcn+WbTKYxBw==\n" + 174 "-----END CERTIFICATE-----"; 175 176 static String crlStr = 177 "-----BEGIN X509 CRL-----\n" + 178 "MIIBRTCBrwIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzETMBEGA1UE\n" + 179 "CBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQKEwhTb21l\n" + 180 "LU9yZxcNMDkwMzE2MTYyNzE0WhcNMjgwNTE1MTYyNzE0WjAiMCACARkXDTA5MDMx\n" + 181 "NjE2MjIwOFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcN\n" + 182 "AQEEBQADgYEAMixJI9vBwYpOGosn46+T/MTEtlm2S5pIVT/xPDrHkCPfw8l4Zrgp\n" + 183 "dGPuUkglWdrGdxY9MNRUj2YFNfdZi6zZ7JF6XbkDHYOAKYgPDJRjS/0VcBntn5RJ\n" + 184 "sQfZsBqc9fFSP8gknRRn3LT41kr9xNRxTT1t3YYjv7J3zkMYyInqeUA=\n" + 185 "-----END X509 CRL-----"; 186 187 188 private static CertPath generateCertificatePath() 189 throws CertificateException { 190 // generate certificate from cert strings 191 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 192 193 ByteArrayInputStream is = 194 new ByteArrayInputStream(targetCertStr.getBytes()); 195 Certificate targetCert = cf.generateCertificate(is); 196 197 // generate certification path 198 List<Certificate> list = Arrays.asList(new Certificate[] {targetCert}); 199 200 return cf.generateCertPath(list); 201 } 202 203 private static Set<TrustAnchor> generateTrustAnchors() 204 throws CertificateException { 205 // generate certificate from cert string 206 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 207 208 ByteArrayInputStream is = 209 new ByteArrayInputStream(trusedCertStr.getBytes()); 210 Certificate trusedCert = cf.generateCertificate(is); 211 212 // generate a trust anchor 213 TrustAnchor anchor = new TrustAnchor((X509Certificate)trusedCert, null); 214 215 return Collections.singleton(anchor); 216 } 217 218 private static CertStore generateCertificateStore() throws Exception { 219 // generate CRL from CRL string 220 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 221 222 ByteArrayInputStream is = 223 new ByteArrayInputStream(crlStr.getBytes()); 224 225 // generate a cert store 226 Collection<? extends CRL> crls = cf.generateCRLs(is); 227 return CertStore.getInstance("Collection", 228 new CollectionCertStoreParameters(crls)); 229 } 230 231 public static void main(String args[]) throws Exception { 232 CertPath path = generateCertificatePath(); 233 Set<TrustAnchor> anchors = generateTrustAnchors(); 234 CertStore crls = generateCertificateStore(); 235 236 PKIXParameters params = new PKIXParameters(anchors); 237 238 // add the CRL store 239 params.addCertStore(crls); 240 241 // Activate certificate revocation checking 242 params.setRevocationEnabled(true); 243 244 // Activate OCSP 245 Security.setProperty("ocsp.enable", "true"); 246 System.setProperty("com.sun.security.enableCRLDP", "true"); 247 248 // Ensure that the ocsp.responderURL property is not set. 249 if (Security.getProperty("ocsp.responderURL") != null) { 250 throw new 251 Exception("The ocsp.responderURL property must not be set"); 252 } 253 254 CertPathValidator validator = CertPathValidator.getInstance("PKIX"); 255 256 try { 257 System.out.println("Validating cert via OCSP: no responder URL"); 258 validator.validate(path, params); 259 } catch (CertPathValidatorException cpve) { 260 if (cpve.getReason() != BasicReason.REVOKED) { 261 throw new Exception( 262 "unexpected exception, should be a REVOKED CPVE", cpve); 263 } 264 System.out.println(" successful failover to using CRLs"); 265 } 266 267 java.security.cert.PKIXRevocationChecker revocationChecker = 268 (java.security.cert.PKIXRevocationChecker) 269 validator.getRevocationChecker(); 270 revocationChecker.setOCSPResponder( 271 new java.net.URI("bad_ocsp_responder_url")); 272 params.addCertPathChecker(revocationChecker); 273 274 try { 275 System.out.println("Validating cert via OCSP: bad responder URL"); 276 validator.validate(path, params); 277 } catch (CertPathValidatorException cpve) { 278 if (cpve.getReason() != BasicReason.REVOKED) { 279 throw new Exception( 280 "unexpected exception, should be a REVOKED CPVE", cpve); 281 } 282 System.out.println(" successful failover to using CRLs"); 283 } 284 } 285} 286