1/*
2 * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24/*
25 * @test
26 * @bug 8011402
27 * @summary Move blacklisting certificate logic from hard code to data
28 * @modules java.base/sun.security.util
29 */
30
31import sun.security.util.UntrustedCertificates;
32
33import java.io.*;
34import java.security.KeyStore;
35import java.security.cert.*;
36import java.util.*;
37
38public class CheckBlacklistedCerts {
39    public static void main(String[] args) throws Exception {
40
41        String home = System.getProperty("java.home");
42        boolean failed = false;
43
44        // Root CAs should always be trusted
45        File file = new File(home, "lib/security/cacerts");
46        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
47        try (FileInputStream fis = new FileInputStream(file)) {
48            ks.load(fis, null);
49        }
50        System.out.println("Check for cacerts: " + ks.size());
51        for (String alias: Collections.list(ks.aliases())) {
52            X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
53            if (UntrustedCertificates.isUntrusted(cert)) {
54                System.out.print(alias + " is untrusted");
55                failed = true;
56            }
57        }
58
59        // All certs in the pem files
60        Set<Certificate> blacklisted = new HashSet<>();
61
62        // Hopefully src comes with test, but it might be missing if doing
63        // a -testonly JPRT job.
64        File[] blacklists = {
65            new File(System.getProperty("test.src"),
66                "../../../make/data/blacklistedcertsconverter/blacklisted.certs.pem"),
67            new File(System.getProperty("test.src"),
68                "../../../make/closed/data/blacklistedcertsconverter/blacklisted.certs.pem")
69        };
70
71        // Is this an OPENJDK build?
72        String prop = System.getProperty("java.runtime.name");
73        if (prop != null && prop.startsWith("OpenJDK")) {
74            System.out.println("This is a OpenJDK build.");
75            blacklists = Arrays.copyOf(blacklists, 1);
76        }
77
78        CertificateFactory cf = CertificateFactory.getInstance("X.509");
79        for (File blacklist: blacklists) {
80            System.out.print("Check for " + blacklist + ": ");
81            if (!blacklist.exists()) {
82                System.out.println("does not exist");
83            } else {
84                try (FileInputStream fis = new FileInputStream(blacklist)) {
85                    Collection<? extends Certificate> certs
86                            = cf.generateCertificates(fis);
87                    System.out.println(certs.size());
88                    for (Certificate c: certs) {
89                        blacklisted.add(c);
90                        X509Certificate cert = ((X509Certificate)c);
91                        if (!UntrustedCertificates.isUntrusted(cert)) {
92                            System.out.println(cert.getSubjectDN() + " is trusted");
93                            failed = true;
94                        }
95                    }
96                }
97            }
98        }
99
100        // Check the blacklisted.certs file itself
101        file = new File(home, "lib/security/blacklisted.certs");
102        System.out.print("Check for " + file + ": ");
103        try (BufferedReader reader = new BufferedReader(
104                new InputStreamReader(new FileInputStream(file)))) {
105            int acount = 0;
106            int ccount = 0;
107            while (true) {
108                String line = reader.readLine();
109                if (line == null) break;
110                if (line.startsWith("Algorithm")) {
111                    acount++;
112                } else if (!line.isEmpty() && !line.startsWith("#")) {
113                    ccount++;
114                }
115            }
116            System.out.println(acount + " algs, " + ccount + " certs" );
117            if (acount != 1) {
118                System.out.println("There are " + acount + " algorithms");
119                failed = true;
120            }
121            if (ccount != blacklisted.size()
122                    && !blacklisted.isEmpty()) {
123                System.out.println("Wrong blacklisted.certs size: "
124                        + ccount + " fingerprints, "
125                        + blacklisted.size() + " certs");
126                failed = true;
127            }
128        }
129
130        if (failed) {
131            throw new Exception("Failed");
132        }
133    }
134}
135