NameConstraintsWithRID.java revision 1253:25db260cb810
1/* 2 * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 20 * CA 95054 USA or visit www.sun.com if you need additional information or 21 * have any questions. 22 */ 23 24/** 25 * @test 26 * 27 * @bug 6845286 28 * @summary Add regression test for name constraints 29 * @author Xuelei Fan 30 */ 31 32import java.io.*; 33import java.net.SocketException; 34import java.util.*; 35import java.security.Security; 36import java.security.cert.*; 37import java.security.cert.CertPathValidatorException.BasicReason; 38 39public class NameConstraintsWithRID { 40 41 static String selfSignedCertStr = 42 "-----BEGIN CERTIFICATE-----\n" + 43 "MIICTjCCAbegAwIBAgIJAIoSzC1A/k4vMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" + 44 "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxMloXDTMwMDQx\n" + 45 "NzA5MjcxMlowHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUwgZ8wDQYJ\n" + 46 "KoZIhvcNAQEBBQADgY0AMIGJAoGBANXzlv5Fn2cdgBRdEK/37/o8rqQXIRIMZqX6\n" + 47 "BPuo46Cdhctv+n3hu5bj/PwgJVbAJcqcQfDudSSF5gwGlRqDX9vekPSS47XZXjOZ\n" + 48 "qFcnDoWP0gSQXLYVVtjuItkecTrPyUE5v2lRIAh13MGKOSh3ZsrtFvj7Y5d9EqIP\n" + 49 "SLxWWPuHAgMBAAGjgZEwgY4wHQYDVR0OBBYEFFydJvQMB2j4EDHW2bQabNsPUvDt\n" + 50 "ME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsPUvDtoSOkITAfMQswCQYDVQQG\n" + 51 "EwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A/k4vMA8GA1UdEwEB/wQFMAMB\n" + 52 "Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA4GBAHgoopmZ1Q4qXhMDbbYQ\n" + 53 "YCi4Cg6cXPFblx5gzhWu/6l9SkvZbAZiLszgyMq5dGj9WyTtibNEp232dQsKTFu7\n" + 54 "3ag0DiFqoQ8btgvbwBlzhnRagoeVFjhuBBQutOScw7x8NCSBkZQow+31127mwu3y\n" + 55 "YGYhEmI2dNmgbv1hVYTGmLXW\n" + 56 "-----END CERTIFICATE-----"; 57 58 static String subCaCertStr = 59 "-----BEGIN CERTIFICATE-----\n" + 60 "MIICdTCCAd6gAwIBAgIJAL+MYVyy7k5YMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" + 61 "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxNFoXDTI5MDEy\n" + 62 "MjA5MjcxNFowMTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUxEDAOBgNV\n" + 63 "BAsTB0NsYXNzLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2mwX8dhP3M\n" + 64 "i6ATRsd0wco+c7rsyEbP0CRQunVIP8/kOL8+zyQix+QZquY23tvBCbia424GXDkT\n" + 65 "irvK/M4yGzrdS51hA5dlH3SHY3CWOAqEPqKtNLn1My4MWtTiUWbHi0YjFuOv0BXz\n" + 66 "x9lTEfMf+3QcOgO5FitcqHIMP4jIlT+lAgMBAAGjgaYwgaMwHQYDVR0OBBYEFJHg\n" + 67 "eyEWcjxcAwc01BPQrau/4HJaME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsP\n" + 68 "UvDtoSOkITAfMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A\n" + 69 "/k4vMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBMGA1UdHgQMMAqhCDAG\n" + 70 "iAQqAwQFMA0GCSqGSIb3DQEBBQUAA4GBAI3CDQWZiTlVVVqfCiZwc/yIL7G5bu2g\n" + 71 "ccgVz9PyKfTpq8vk59S23TvPwdPt4ZVx4RSoar9ONtbrcLxfP3X6WQ7e9popWNZV\n" + 72 "q49YfyU1tD5HFuxj7CAsvfykuRo4ovXaTCVWlTMi7fJJdzU0Eb4xkXXhiWT/RbHG\n" + 73 "R7J+8ROMZ+nR\n" + 74 "-----END CERTIFICATE-----"; 75 76 static String targetCertStr = 77 "-----BEGIN CERTIFICATE-----\n" + 78 "MIICUDCCAbmgAwIBAgIJAOA8c10w019XMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV\n" + 79 "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFzcy0xMB4XDTA5\n" + 80 "MDUwNzEwMjY0M1oXDTI5MDEyMjEwMjY0M1owQTELMAkGA1UEBhMCVVMxEDAOBgNV\n" + 81 "BAoTB0V4YW1wbGUxEDAOBgNVBAsTB0NsYXNzLTExDjAMBgNVBAMTBVN1c2FuMIGf\n" + 82 "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmyS8SskMX3mreD95oBaXUGNvPTK0\n" + 83 "39IBdxle2TpJEBL/BcS4QUb2+67WjrXhUZWFtpc4RzywfvSSxZH2wbwDDJPs56OC\n" + 84 "Eczsdnqe7gOroYm2TMfY0/pItgP3mRkhJpxAWFc/y7Qr8jJbPmKfiYbYROp1eR2t\n" + 85 "BrjUiUTrAtM7GwIDAQABo2AwXjALBgNVHQ8EBAMCA+gwDwYDVR0RBAgwBogEKgME\n" + 86 "BTAdBgNVHQ4EFgQUyqtfkWtPah5J658LHN8CEGIgAbgwHwYDVR0jBBgwFoAUkeB7\n" + 87 "IRZyPFwDBzTUE9Ctq7/gclowDQYJKoZIhvcNAQEFBQADgYEAnwaLBteuJhXF56Rg\n" + 88 "l8FIEzgJtT4yu/8WsYjhN6/aLGkgJ37VavWdhjwXIb1RVJE/ab3hTbWF5ht7jMcQ\n" + 89 "/WnD8R8CpwEEX/n2wpb3zMHZ8zT7k0mWYm10mPHw1psjOUvJd/zB4gT4tc2A2soM\n" + 90 "FbcNIaCtg8blO5ImdOz5hAi+NuY=\n" + 91 "-----END CERTIFICATE-----"; 92 93 private static CertPath generateCertificatePath() 94 throws CertificateException { 95 // generate certificate from cert strings 96 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 97 98 ByteArrayInputStream is; 99 100 is = new ByteArrayInputStream(targetCertStr.getBytes()); 101 Certificate targetCert = cf.generateCertificate(is); 102 103 is = new ByteArrayInputStream(subCaCertStr.getBytes()); 104 Certificate subCaCert = cf.generateCertificate(is); 105 106 is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); 107 Certificate selfSignedCert = cf.generateCertificate(is); 108 109 // generate certification path 110 List<Certificate> list = Arrays.asList(new Certificate[] { 111 targetCert, subCaCert, selfSignedCert}); 112 113 return cf.generateCertPath(list); 114 } 115 116 private static Set<TrustAnchor> generateTrustAnchors() 117 throws CertificateException { 118 // generate certificate from cert string 119 CertificateFactory cf = CertificateFactory.getInstance("X.509"); 120 121 ByteArrayInputStream is = 122 new ByteArrayInputStream(selfSignedCertStr.getBytes()); 123 Certificate selfSignedCert = cf.generateCertificate(is); 124 125 // generate a trust anchor 126 TrustAnchor anchor = 127 new TrustAnchor((X509Certificate)selfSignedCert, null); 128 129 return Collections.singleton(anchor); 130 } 131 132 public static void main(String args[]) throws Exception { 133 CertPath path = generateCertificatePath(); 134 Set<TrustAnchor> anchors = generateTrustAnchors(); 135 136 PKIXParameters params = new PKIXParameters(anchors); 137 138 // disable certificate revocation checking 139 params.setRevocationEnabled(false); 140 141 // set the validation time 142 params.setDate(new Date(109, 5, 8)); // 2009-05-01 143 144 // disable OCSP checker 145 Security.setProperty("ocsp.enable", "false"); 146 147 // disable CRL checker 148 System.setProperty("com.sun.security.enableCRLDP", "false"); 149 150 CertPathValidator validator = CertPathValidator.getInstance("PKIX"); 151 152 try { 153 validator.validate(path, params); 154 throw new Exception( 155 "the subjectAltName is excluded by NameConstraints, " + 156 "should thrown CertPathValidatorException"); 157 } catch (CertPathValidatorException uoe) { 158 // that is the expected exception. 159 } 160 } 161} 162