1/* 2 * Copyright (c) 2001, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24/** 25 * @test 26 * @bug 4459538 27 * @summary make sure that target constraints are processed correctly 28 * by a PKIX CertPathValidator 29 */ 30 31import java.io.File; 32import java.io.FileInputStream; 33import java.io.IOException; 34 35import java.math.BigInteger; 36 37import java.security.cert.CertificateFactory; 38import java.security.cert.CertPath; 39import java.security.cert.CertPathValidator; 40import java.security.cert.CertPathValidatorException; 41import java.security.cert.CertPathValidatorResult; 42import java.security.cert.PKIXParameters; 43import java.security.cert.TrustAnchor; 44import java.security.cert.X509Certificate; 45import java.security.cert.X509CertSelector; 46 47import java.util.ArrayList; 48import java.util.Collections; 49import java.util.List; 50import java.util.Set; 51 52/** 53 * ValidateTargetConstraints performs a simple validation of a certification 54 * path, but adds a requirement that the serial number of the last 55 * certificate match an arbitrarily chosen number. This should cause the 56 * validation to fail. 57 * 58 * @author Steve Hanna 59 * @author Sean Mullan 60 */ 61public final class ValidateTargetConstraints { 62 63 private static CertPath path; 64 private static PKIXParameters params; 65 66 public static void main(String[] args) throws Exception { 67 68 String[] certs = { "sun.cer", "sun2labs1.cer" }; 69 70 try { 71 createPath(certs); 72 validate(path, params); 73 throw new Exception 74 ("CertPath should not have been validated succesfully"); 75 } catch (CertPathValidatorException cpve) { 76 System.out.println("Test failed as expected: " + cpve); 77 } 78 } 79 80 public static void createPath(String[] certs) throws Exception { 81 TrustAnchor anchor = new TrustAnchor(getCertFromFile(certs[0]), null); 82 List list = new ArrayList(); 83 for (int i = 1; i < certs.length; i++) { 84 list.add(0, getCertFromFile(certs[i])); 85 } 86 CertificateFactory cf = CertificateFactory.getInstance("X509"); 87 path = cf.generateCertPath(list); 88 89 Set anchors = Collections.singleton(anchor); 90 params = new PKIXParameters(anchors); 91 params.setRevocationEnabled(false); 92 X509CertSelector sel = new X509CertSelector(); 93 sel.setSerialNumber(new BigInteger("1427")); 94 params.setTargetCertConstraints(sel); 95 } 96 97 /** 98 * Get a DER-encoded X.509 certificate from a file. 99 * 100 * @param certFilePath path to file containing DER-encoded certificate 101 * @return X509Certificate 102 * @throws IOException on error 103 */ 104 public static X509Certificate getCertFromFile(String certFilePath) 105 throws IOException { 106 X509Certificate cert = null; 107 try { 108 File certFile = new File(System.getProperty("test.src", "."), 109 certFilePath); 110 FileInputStream certFileInputStream = 111 new FileInputStream(certFile); 112 CertificateFactory cf = CertificateFactory.getInstance("X509"); 113 cert = (X509Certificate) 114 cf.generateCertificate(certFileInputStream); 115 } catch (Exception e) { 116 e.printStackTrace(); 117 throw new IOException("Can't construct X509Certificate: " + 118 e.getMessage()); 119 } 120 return cert; 121 } 122 123 /** 124 * Perform a PKIX validation. 125 * 126 * @param path CertPath to validate 127 * @param params PKIXParameters to use in validation 128 * @throws Exception on error 129 */ 130 public static void validate(CertPath path, PKIXParameters params) 131 throws Exception { 132 CertPathValidator validator = 133 CertPathValidator.getInstance("PKIX"); 134 CertPathValidatorResult cpvr = validator.validate(path, params); 135 } 136} 137