CircularCRLTwoLevel.java revision 9062:5bb4952ea3e0
1/* 2 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24// 25// Security properties, once set, cannot revert to unset. To avoid 26// conflicts with tests running in the same VM isolate this test by 27// running it in otherVM mode. 28// 29 30/** 31 * @test 32 * 33 * @bug 6720721 34 * @summary CRL check with circular depency support needed 35 * @run main/othervm CircularCRLTwoLevel 36 * @author Xuelei Fan 37 */ 38 39import java.io.*; 40import java.net.SocketException; 41import java.util.*; 42import java.security.Security; 43import java.security.cert.*; 44import java.security.cert.CertPathValidatorException.BasicReason; 45 46public class CircularCRLTwoLevel { 47 48 static String selfSignedCertStr = 49 "-----BEGIN CERTIFICATE-----\n" + 50 "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 51 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + 52 "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + 53 "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + 54 "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + 55 "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + 56 "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + 57 "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + 58 "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + 59 "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + 60 "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + 61 "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + 62 "Vjw=\n" + 63 "-----END CERTIFICATE-----"; 64 65 static String subCaCertStr = 66 "-----BEGIN CERTIFICATE-----\n" + 67 "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 68 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + 69 "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + 70 "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + 71 "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + 72 "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + 73 "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + 74 "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + 75 "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + 76 "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + 77 "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + 78 "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + 79 "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + 80 "-----END CERTIFICATE-----"; 81 82 static String targetCertStr = 83 "-----BEGIN CERTIFICATE-----\n" + 84 "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + 85 "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + 86 "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + 87 "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + 88 "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" + 89 "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" + 90 "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" + 91 "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" + 92 "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + 93 "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" + 94 "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" + 95 "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" + 96 "-----END CERTIFICATE-----"; 97 98 static String topCrlIssuerCertStr = 99 "-----BEGIN CERTIFICATE-----\n" + 100 "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 101 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + 102 "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + 103 "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + 104 "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + 105 "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + 106 "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + 107 "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + 108 "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + 109 "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + 110 "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + 111 "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + 112 "-----END CERTIFICATE-----"; 113 114 static String subCrlIssuerCertStr = 115 "-----BEGIN CERTIFICATE-----\n" + 116 "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 117 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + 118 "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + 119 "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + 120 "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + 121 "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + 122 "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + 123 "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + 124 "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + 125 "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + 126 "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + 127 "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + 128 "rg==\n" + 129 "-----END CERTIFICATE-----"; 130 131 static String topCrlStr = 132 "-----BEGIN X509 CRL-----\n" + 133 "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + 134 "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + 135 "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + 136 "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + 137 "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + 138 "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + 139 "-----END X509 CRL-----"; 140 141 static String subCrlStr = 142 "-----BEGIN X509 CRL-----\n" + 143 "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + 144 "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + 145 "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + 146 "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + 147 "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + 148 "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + 149 "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + 150 "-----END X509 CRL-----"; 151 152 private static CertPath generateCertificatePath() 153 throws CertificateException { 154 // generate certificate from cert strings 155 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 156 157 ByteArrayInputStream is; 158 159 is = new ByteArrayInputStream(targetCertStr.getBytes()); 160 Certificate targetCert = cf.generateCertificate(is); 161 162 is = new ByteArrayInputStream(subCaCertStr.getBytes()); 163 Certificate subCaCert = cf.generateCertificate(is); 164 165 is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); 166 Certificate selfSignedCert = cf.generateCertificate(is); 167 168 // generate certification path 169 List<Certificate> list = Arrays.asList(new Certificate[] { 170 targetCert, subCaCert, selfSignedCert}); 171 172 return cf.generateCertPath(list); 173 } 174 175 private static Set<TrustAnchor> generateTrustAnchors() 176 throws CertificateException { 177 // generate certificate from cert string 178 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 179 180 ByteArrayInputStream is = 181 new ByteArrayInputStream(selfSignedCertStr.getBytes()); 182 Certificate selfSignedCert = cf.generateCertificate(is); 183 184 // generate a trust anchor 185 TrustAnchor anchor = 186 new TrustAnchor((X509Certificate)selfSignedCert, null); 187 188 return Collections.singleton(anchor); 189 } 190 191 private static CertStore generateCertificateStore() throws Exception { 192 Collection entries = new HashSet(); 193 194 // generate CRL from CRL string 195 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 196 197 ByteArrayInputStream is = 198 new ByteArrayInputStream(topCrlStr.getBytes()); 199 Collection mixes = cf.generateCRLs(is); 200 entries.addAll(mixes); 201 202 is = new ByteArrayInputStream(subCrlStr.getBytes()); 203 mixes = cf.generateCRLs(is); 204 entries.addAll(mixes); 205 206 // intermediate certs 207 is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); 208 mixes = cf.generateCertificates(is); 209 entries.addAll(mixes); 210 211 is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); 212 mixes = cf.generateCertificates(is); 213 entries.addAll(mixes); 214 215 return CertStore.getInstance("Collection", 216 new CollectionCertStoreParameters(entries)); 217 } 218 219 public static void main(String args[]) throws Exception { 220 // MD5 is used in this test case, don't disable MD5 algorithm. 221 Security.setProperty( 222 "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); 223 224 CertPath path = generateCertificatePath(); 225 Set<TrustAnchor> anchors = generateTrustAnchors(); 226 CertStore crls = generateCertificateStore(); 227 228 PKIXParameters params = new PKIXParameters(anchors); 229 230 // add the CRL store 231 params.addCertStore(crls); 232 233 // Activate certificate revocation checking 234 params.setRevocationEnabled(true); 235 236 // set the validation time 237 params.setDate(new Date(109, 5, 1)); // 2009-05-01 238 239 // disable OCSP checker 240 Security.setProperty("ocsp.enable", "false"); 241 242 // enable CRL checker 243 System.setProperty("com.sun.security.enableCRLDP", "true"); 244 245 CertPathValidator validator = CertPathValidator.getInstance("PKIX"); 246 247 try { 248 validator.validate(path, params); 249 } catch (CertPathValidatorException cpve) { 250 if (cpve.getReason() != BasicReason.REVOKED) { 251 throw new Exception( 252 "unexpect exception, should be a REVOKED CPVE", cpve); 253 } 254 } 255 } 256} 257