1/* 2 * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24// 25// Security properties, once set, cannot revert to unset. To avoid 26// conflicts with tests running in the same VM isolate this test by 27// running it in otherVM mode. 28// 29 30/** 31 * @test 32 * @bug 6852744 33 * @summary PIT b61: PKI test suite fails because self signed certificates 34 * are being rejected 35 * @modules java.base/sun.security.util 36 * @run main/othervm DisableRevocation subca 37 * @run main/othervm DisableRevocation subci 38 * @run main/othervm DisableRevocation alice 39 * @author Xuelei Fan 40 */ 41 42import java.io.*; 43import java.net.SocketException; 44import java.util.*; 45import java.security.Security; 46import java.security.cert.*; 47import java.security.cert.CertPathValidatorException.BasicReason; 48import sun.security.util.DerInputStream; 49 50/** 51 * A test case helps to ensure that a certification path building process is 52 * able to identify a self-issued certificate from its issuer when disable 53 * revocation checking. 54 */ 55public final class DisableRevocation { 56 57 // the trust anchor 58 static String selfSignedCertStr = 59 "-----BEGIN CERTIFICATE-----\n" + 60 "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 61 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" + 62 "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + 63 "AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" + 64 "81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" + 65 "m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" + 66 "AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" + 67 "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + 68 "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + 69 "DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" + 70 "ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" + 71 "DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" + 72 "v/E=\n" + 73 "-----END CERTIFICATE-----"; 74 75 // the sub-ca 76 static String subCaCertStr = 77 "-----BEGIN CERTIFICATE-----\n" + 78 "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 79 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" + 80 "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + 81 "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" + 82 "srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" + 83 "+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" + 84 "E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" + 85 "KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + 86 "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + 87 "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" + 88 "MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" + 89 "RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" + 90 "iil34GktVl6gfMKGzUEW/Dh8OM4=\n" + 91 "-----END CERTIFICATE-----"; 92 93 // a delegated CRL issuer, it's a self-issued certificate of trust anchor 94 static String topCrlIssuerCertStr = 95 "-----BEGIN CERTIFICATE-----\n" + 96 "MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 97 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" + 98 "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + 99 "AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" + 100 "/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" + 101 "hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" + 102 "AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" + 103 "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + 104 "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + 105 "DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" + 106 "xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" + 107 "rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" + 108 "G0c=\n" + 109 "-----END CERTIFICATE-----"; 110 111 // a delegated CRL issuer, it's a self-issued certificate of sub-ca 112 static String subCrlIssuerCertStr = 113 "-----BEGIN CERTIFICATE-----\n" + 114 "MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + 115 "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" + 116 "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + 117 "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" + 118 "OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" + 119 "obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" + 120 "GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" + 121 "xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + 122 "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + 123 "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" + 124 "Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" + 125 "pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" + 126 "Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" + 127 "-----END CERTIFICATE-----"; 128 129 // the target EE certificate 130 static String targetCertStr = 131 "-----BEGIN CERTIFICATE-----\n" + 132 "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + 133 "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" + 134 "MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + 135 "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + 136 "9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" + 137 "T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" + 138 "1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" + 139 "cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" + 140 "uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" + 141 "9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" + 142 "yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" + 143 "G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" + 144 "-----END CERTIFICATE-----"; 145 146 private static Set<TrustAnchor> generateTrustAnchors() 147 throws CertificateException { 148 // generate certificate from cert string 149 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 150 151 ByteArrayInputStream is = 152 new ByteArrayInputStream(selfSignedCertStr.getBytes()); 153 Certificate selfSignedCert = cf.generateCertificate(is); 154 155 // generate a trust anchor 156 TrustAnchor anchor = 157 new TrustAnchor((X509Certificate)selfSignedCert, null); 158 159 return Collections.singleton(anchor); 160 } 161 162 private static CertStore generateCertificateStore() throws Exception { 163 Collection entries = new HashSet(); 164 165 // generate certificate from certificate string 166 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 167 168 ByteArrayInputStream is; 169 170 is = new ByteArrayInputStream(targetCertStr.getBytes()); 171 Certificate cert = cf.generateCertificate(is); 172 entries.add(cert); 173 174 is = new ByteArrayInputStream(subCaCertStr.getBytes()); 175 cert = cf.generateCertificate(is); 176 entries.add(cert); 177 178 is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); 179 cert = cf.generateCertificate(is); 180 entries.add(cert); 181 182 is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); 183 cert = cf.generateCertificate(is); 184 entries.add(cert); 185 186 is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); 187 cert = cf.generateCertificate(is); 188 entries.add(cert); 189 190 return CertStore.getInstance("Collection", 191 new CollectionCertStoreParameters(entries)); 192 } 193 194 private static X509CertSelector generateSelector(String name) 195 throws Exception { 196 X509CertSelector selector = new X509CertSelector(); 197 198 // generate certificate from certificate string 199 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 200 ByteArrayInputStream is = null; 201 if (name.equals("subca")) { 202 is = new ByteArrayInputStream(subCaCertStr.getBytes()); 203 } else if (name.equals("subci")) { 204 is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); 205 } else { 206 is = new ByteArrayInputStream(targetCertStr.getBytes()); 207 } 208 209 X509Certificate target = (X509Certificate)cf.generateCertificate(is); 210 byte[] extVal = target.getExtensionValue("2.5.29.14"); 211 if (extVal != null) { 212 DerInputStream in = new DerInputStream(extVal); 213 byte[] subjectKID = in.getOctetString(); 214 selector.setSubjectKeyIdentifier(subjectKID); 215 } else { 216 // unlikely to happen. 217 throw new Exception("unexpected certificate: no SKID extension"); 218 } 219 220 return selector; 221 } 222 223 private static boolean match(String name, Certificate cert) 224 throws Exception { 225 X509CertSelector selector = new X509CertSelector(); 226 227 // generate certificate from certificate string 228 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 229 ByteArrayInputStream is = null; 230 if (name.equals("subca")) { 231 is = new ByteArrayInputStream(subCaCertStr.getBytes()); 232 } else if (name.equals("subci")) { 233 is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); 234 } else { 235 is = new ByteArrayInputStream(targetCertStr.getBytes()); 236 } 237 X509Certificate target = (X509Certificate)cf.generateCertificate(is); 238 239 return target.equals(cert); 240 } 241 242 243 public static void main(String[] args) throws Exception { 244 // MD5 is used in this test case, don't disable MD5 algorithm. 245 Security.setProperty( 246 "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); 247 248 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); 249 250 X509CertSelector selector = generateSelector(args[0]); 251 252 Set<TrustAnchor> anchors = generateTrustAnchors(); 253 CertStore certs = generateCertificateStore(); 254 255 256 PKIXBuilderParameters params = 257 new PKIXBuilderParameters(anchors, selector); 258 params.addCertStore(certs); 259 params.setRevocationEnabled(false); 260 params.setDate(new Date(109, 7, 1)); // 2009-07-01 261 Security.setProperty("ocsp.enable", "false"); 262 System.setProperty("com.sun.security.enableCRLDP", "false"); 263 264 PKIXCertPathBuilderResult result = 265 (PKIXCertPathBuilderResult)builder.build(params); 266 267 if (!match(args[0], result.getCertPath().getCertificates().get(0))) { 268 throw new Exception("unexpected certificate"); 269 } 270 } 271} 272