Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/jdk17u
 Path: blob/master/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java
66646 views
1
/*

2
 * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.

8
 *

9
 * This code is distributed in the hope that it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

12
 * version 2 for more details (a copy is included in the LICENSE file that

13
 * accompanied this code).

14
 *

15
 * You should have received a copy of the GNU General Public License version

16
 * 2 along with this work; if not, write to the Free Software Foundation,

17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

18
 *

19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

20
 * or visit www.oracle.com if you need additional information or have any

21
 * questions.

22
 */

23


24
import java.io.*;

25
import java.math.BigInteger;

26
import java.security.*;

27
import java.security.cert.*;

28
import java.time.*;

29
import java.util.*;

30
import javax.net.ssl.*;

31
import sun.security.validator.Validator;

32
import sun.security.validator.ValidatorException;

33


34
import jdk.test.lib.security.SecurityUtils;

35


36
/**

37
 * @test

38
 * @bug 8207258 8216280

39
 * @summary Check that TLS Server certificates chaining back to distrusted

40
 *          Symantec roots are invalid

41
 * @library /test/lib

42
 * @modules java.base/sun.security.validator

43
 * @run main/othervm Distrust after policyOn invalid

44
 * @run main/othervm Distrust after policyOff valid

45
 * @run main/othervm Distrust before policyOn valid

46
 * @run main/othervm Distrust before policyOff valid

47
 */

48


49
public class Distrust {

50


51
    private static final String TEST_SRC = System.getProperty("test.src", ".");

52
    private static CertificateFactory cf;

53


54
    // Each of the roots have a test certificate chain stored in a file

55
    // named "<root>-chain.pem".

56
    private static String[] rootsToTest = new String[] {

57
        "geotrustprimarycag2", "geotrustprimarycag3",

58
        "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2",

59
        "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",

60
        "verisignclass3g5ca", "verisignuniversalrootca" };

61


62
    // Each of the subCAs with a delayed distrust date have a test certificate

63
    // chain stored in a file named "<subCA>-chain.pem".

64
    private static String[] subCAsToTest = new String[]{"appleistca8g1"};

65


66
    // A date that is after the restrictions take affect

67
    private static final Date APRIL_17_2019 =

68
        Date.from(LocalDate.of(2019, 4, 17)

69
                           .atStartOfDay(ZoneOffset.UTC)

70
                           .toInstant());

71


72
    // A date that is a second before the restrictions take affect

73
    private static final Date BEFORE_APRIL_17_2019 =

74
        Date.from(LocalDate.of(2019, 4, 17)

75
                           .atStartOfDay(ZoneOffset.UTC)

76
                           .minusSeconds(1)

77
                           .toInstant());

78


79
    // A date that is after the subCA restrictions take affect

80
    private static final Date JANUARY_1_2020 =

81
        Date.from(LocalDate.of(2020, 1, 1)

82
                           .atStartOfDay(ZoneOffset.UTC)

83
                           .toInstant());

84


85
    // A date that is a second before the subCA restrictions take affect

86
    private static final Date BEFORE_JANUARY_1_2020 =

87
        Date.from(LocalDate.of(2020, 1, 1)

88
                           .atStartOfDay(ZoneOffset.UTC)

89
                           .minusSeconds(1)

90
                           .toInstant());

91


92
    public static void main(String[] args) throws Exception {

93


94
        cf = CertificateFactory.getInstance("X.509");

95


96
        boolean before = args[0].equals("before");

97
        boolean policyOn = args[1].equals("policyOn");

98
        boolean isValid = args[2].equals("valid");

99


100
        if (!policyOn) {

101
            // disable policy (default is on)

102
            Security.setProperty("jdk.security.caDistrustPolicies", "");

103
        }

104


105
        Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;

106


107
        X509TrustManager pkixTM = getTMF("PKIX", null);

108
        X509TrustManager sunX509TM = getTMF("SunX509", null);

109
        for (String test : rootsToTest) {

110
            System.err.println("Testing " + test);

111
            X509Certificate[] chain = loadCertificateChain(test);

112


113
            testTM(sunX509TM, chain, notBefore, isValid);

114
            testTM(pkixTM, chain, notBefore, isValid);

115
        }

116


117
        // test chain if params are passed to TrustManager

118
        System.err.println("Testing verisignuniversalrootca with params");

119
        testTM(getTMF("PKIX", getParams()),

120
               loadCertificateChain("verisignuniversalrootca"),

121
               notBefore, isValid);

122


123
        // test code-signing chain (should be valid as restrictions don't apply)

124
        System.err.println("Testing verisignclass3g5ca code-signing chain");

125
        Validator v = Validator.getInstance(Validator.TYPE_PKIX,

126
                                            Validator.VAR_CODE_SIGNING,

127
                                            getParams());

128
        // set validation date so this will still pass when cert expires

129
        v.setValidationDate(new Date(1544197375493l));

130
        v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));

131


132
        // test chains issued through subCAs

133
        notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;

134
        for (String test : subCAsToTest) {

135
            System.err.println("Testing " + test);

136
            X509Certificate[] chain = loadCertificateChain(test);

137


138
            testTM(sunX509TM, chain, notBefore, isValid);

139
            testTM(pkixTM, chain, notBefore, isValid);

140
        }

141
    }

142


143
    private static X509TrustManager getTMF(String type,

144
            PKIXBuilderParameters params) throws Exception {

145
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(type);

146
        if (params == null) {

147
            tmf.init((KeyStore)null);

148
        } else {

149
            tmf.init(new CertPathTrustManagerParameters(params));

150
        }

151
        TrustManager[] tms = tmf.getTrustManagers();

152
        for (TrustManager tm : tms) {

153
            X509TrustManager xtm = (X509TrustManager)tm;

154
            return xtm;

155
        }

156
        throw new Exception("No TrustManager for " + type);

157
    }

158


159
    private static PKIXBuilderParameters getParams() throws Exception {

160
        PKIXBuilderParameters pbp =

161
            new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(),

162
                                      new X509CertSelector());

163
        pbp.setRevocationEnabled(false);

164
        return pbp;

165
    }

166


167
    private static void testTM(X509TrustManager xtm, X509Certificate[] chain,

168
                               Date notBefore, boolean valid) throws Exception {

169
        // Check if TLS Server certificate (the first element of the chain)

170
        // is issued after the specified notBefore date (should be rejected

171
        // unless distrust property is false). To do this, we need to

172
        // fake the notBefore date since none of the test certs are issued

173
        // after then.

174
        chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);

175


176
        try {

177
            xtm.checkServerTrusted(chain, "ECDHE_RSA");

178
            if (!valid) {

179
                throw new Exception("chain should be invalid");

180
            }

181
        } catch (CertificateException ce) {

182
            // expired TLS certificates should not be treated as failure

183
            if (expired(ce)) {

184
                System.err.println("Test is N/A, chain is expired");

185
                return;

186
            }

187
            if (valid) {

188
                throw new Exception("Unexpected exception, chain " +

189
                                    "should be valid", ce);

190
            }

191
            if (ce instanceof ValidatorException) {

192
                ValidatorException ve = (ValidatorException)ce;

193
                if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {

194
                    ce.printStackTrace(System.err);

195
                    throw new Exception("Unexpected exception: " + ce);

196
                }

197
            } else {

198
                throw new Exception("Unexpected exception: " + ce);

199
            }

200
        }

201
    }

202


203
    // check if a cause of exception is an expired cert

204
    private static boolean expired(CertificateException ce) {

205
        if (ce instanceof CertificateExpiredException) {

206
            return true;

207
        }

208
        Throwable t = ce.getCause();

209
        while (t != null) {

210
            if (t instanceof CertificateExpiredException) {

211
                return true;

212
            }

213
            t = t.getCause();

214
        }

215
        return false;

216
    }

217


218
    private static X509Certificate[] loadCertificateChain(String name)

219
            throws Exception {

220
        try (InputStream in = new FileInputStream(TEST_SRC + File.separator +

221
                                                  name + "-chain.pem")) {

222
            Collection<X509Certificate> certs =

223
                (Collection<X509Certificate>)cf.generateCertificates(in);

224
            return certs.toArray(new X509Certificate[0]);

225
        }

226
    }

227


228
    private static class DistrustedTLSServerCert extends X509Certificate {

229
        private final X509Certificate cert;

230
        private final Date notBefore;

231
        DistrustedTLSServerCert(X509Certificate cert, Date notBefore) {

232
            this.cert = cert;

233
            this.notBefore = notBefore;

234
        }

235
        public Set<String> getCriticalExtensionOIDs() {

236
           return cert.getCriticalExtensionOIDs();

237
        }

238
        public byte[] getExtensionValue(String oid) {

239
            return cert.getExtensionValue(oid);

240
        }

241
        public Set<String> getNonCriticalExtensionOIDs() {

242
            return cert.getNonCriticalExtensionOIDs();

243
        }

244
        public boolean hasUnsupportedCriticalExtension() {

245
            return cert.hasUnsupportedCriticalExtension();

246
        }

247
        public void checkValidity() throws CertificateExpiredException,

248
            CertificateNotYetValidException {

249
            // always pass

250
        }

251
        public void checkValidity(Date date) throws CertificateExpiredException,

252
            CertificateNotYetValidException {

253
            // always pass

254
        }

255
        public int getVersion() { return cert.getVersion(); }

256
        public BigInteger getSerialNumber() { return cert.getSerialNumber(); }

257
        public Principal getIssuerDN() { return cert.getIssuerDN(); }

258
        public Principal getSubjectDN() { return cert.getSubjectDN(); }

259
        public Date getNotBefore() { return notBefore; }

260
        public Date getNotAfter() { return cert.getNotAfter(); }

261
        public byte[] getTBSCertificate() throws CertificateEncodingException {

262
            return cert.getTBSCertificate();

263
        }

264
        public byte[] getSignature() { return cert.getSignature(); }

265
        public String getSigAlgName() { return cert.getSigAlgName(); }

266
        public String getSigAlgOID() { return cert.getSigAlgOID(); }

267
        public byte[] getSigAlgParams() { return cert.getSigAlgParams(); }

268
        public boolean[] getIssuerUniqueID() {

269
            return cert.getIssuerUniqueID();

270
        }

271
        public boolean[] getSubjectUniqueID() {

272
            return cert.getSubjectUniqueID();

273
        }

274
        public boolean[] getKeyUsage() { return cert.getKeyUsage(); }

275
        public int getBasicConstraints() { return cert.getBasicConstraints(); }

276
        public byte[] getEncoded() throws CertificateEncodingException {

277
            return cert.getEncoded();

278
        }

279
        public void verify(PublicKey key) throws CertificateException,

280
            InvalidKeyException, NoSuchAlgorithmException,

281
            NoSuchProviderException, SignatureException {

282
            cert.verify(key);

283
        }

284
        public void verify(PublicKey key, String sigProvider) throws

285
            CertificateException, InvalidKeyException, NoSuchAlgorithmException,

286
            NoSuchProviderException, SignatureException {

287
            cert.verify(key, sigProvider);

288
        }

289
        public PublicKey getPublicKey() { return cert.getPublicKey(); }

290
        public String toString() { return cert.toString(); }

291
    }

292
}

293


294