1
/*
2
 * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.
8
 *
9
 * This code is distributed in the hope that it will be useful, but WITHOUT
10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
12
 * version 2 for more details (a copy is included in the LICENSE file that
13
 * accompanied this code).
14
 *
15
 * You should have received a copy of the GNU General Public License version
16
 * 2 along with this work; if not, write to the Free Software Foundation,
17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18
 *
19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20
 * or visit www.oracle.com if you need additional information or have any
21
 * questions.
22
 */
23

24
package org.openjdk.bench.java.security;
25

26
import java.io.ByteArrayInputStream;
27
import java.io.IOException;
28
import java.nio.charset.StandardCharsets;
29
import java.security.GeneralSecurityException;
30
import java.security.Key;
31
import java.security.KeyFactory;
32
import java.security.KeyStore;
33
import java.security.cert.Certificate;
34
import java.security.cert.CertificateFactory;
35
import java.security.spec.PKCS8EncodedKeySpec;
36
import java.util.Base64;
37

38
/**
39
 * This class contains a 3-certificate chain for use in TLS tests.
40
 * The method {@link #getKeyStore()} returns a keystore with a single entry
41
 * containing one server+one intermediate CA certificate.
42
 * Server's CN and subjectAltName are both set to "client"
43
 *
44
 * The method {@link #getTrustStore()} returns a keystore with a single entry
45
 * containing the root CA certificate used for signing the intermediate CA.
46
 */
47
class TestCertificates {
48

49
    // "/C=US/ST=CA/O=Test Root CA, Inc."
50
    // basicConstraints=critical, CA:true
51
    // subjectKeyIdentifier    = hash
52
    // authorityKeyIdentifier  = keyid:always
53
    // keyUsage                = keyCertSign
54
    private static final String ROOT_CA_CERT =
55
            "-----BEGIN CERTIFICATE-----\n" +
56
            "MIIB0jCCAXigAwIBAgIUE+wUdx22foJXSQzD3hpCNCqITLEwCgYIKoZIzj0EAwIw\n" +
57
            "NzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRswGQYDVQQKDBJUZXN0IFJvb3Qg\n" +
58
            "Q0EsIEluYy4wIBcNMjIwNDEyMDcxMzMzWhgPMjEyMjAzMTkwNzEzMzNaMDcxCzAJ\n" +
59
            "BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEbMBkGA1UECgwSVGVzdCBSb290IENBLCBJ\n" +
60
            "bmMuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBKye/mwO0V0WLr71tf8auFEz\n" +
61
            "EmqhaYWauaP17Fb33fRAeG8aVp9c4B0isv/VgcqSTRMG0SJjbx7ttSYwR/JNhqNg\n" +
62
            "MF4wDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUpfGt4bjadmVzWeXAiSMp9pLU\n" +
63
            "RMkwHwYDVR0jBBgwFoAUpfGt4bjadmVzWeXAiSMp9pLURMkwCwYDVR0PBAQDAgIE\n" +
64
            "MAoGCCqGSM49BAMCA0gAMEUCIBF8YyD5BBuhkFNV/3rNmvvMuvWUAECJ8rrUg8kr\n" +
65
            "J8zpAiEAzbZQsC/IZ0wVNd4lqHn6/Ih5v7vhCgkg95KCP1NhBnU=\n" +
66
            "-----END CERTIFICATE-----";
67

68
    // "/C=US/ST=CA/O=Test Intermediate CA, Inc."
69
    // basicConstraints=critical, CA:true, pathlen:0
70
    // subjectKeyIdentifier    = hash
71
    // authorityKeyIdentifier  = keyid:always
72
    // keyUsage                = keyCertSign
73
    private static final String CA_CERT =
74
            "-----BEGIN CERTIFICATE-----\n" +
75
            "MIIB3TCCAYOgAwIBAgIUQ+lTbsDcIQ1UUg0RGdpJB6JMXpcwCgYIKoZIzj0EAwIw\n" +
76
            "NzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRswGQYDVQQKDBJUZXN0IFJvb3Qg\n" +
77
            "Q0EsIEluYy4wIBcNMjIwNDEyMDcxMzM0WhgPMjEyMjAzMTkwNzEzMzRaMD8xCzAJ\n" +
78
            "BgNVBAYTAlVTMQswCQYDVQQIDAJDQTEjMCEGA1UECgwaVGVzdCBJbnRlcm1lZGlh\n" +
79
            "dGUgQ0EsIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ7DsKCSQkP5oT2\n" +
80
            "Wx0gf40N+H/F75w1YmPm6dp2wiQ6JPMN/4En87Ylx0ISJkeXJLxrbLvu2xZ+aonM\n" +
81
            "kckNh/ERo2MwYTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTqP6hB5Ibr\n" +
82
            "aivot/zWSMKr8ZkCVzAfBgNVHSMEGDAWgBSl8a3huNp2ZXNZ5cCJIyn2ktREyTAL\n" +
83
            "BgNVHQ8EBAMCAgQwCgYIKoZIzj0EAwIDSAAwRQIhAM0vCIV938aqGAEmELIA8Kc4\n" +
84
            "X+kOc4LGE0R7sMiBAbXuAiBlbNVaskKYRHIEGHEtIWet6Ufi3w9NMrycEbBZ+v5o\n" +
85
            "gA==\n" +
86
            "-----END CERTIFICATE-----";
87

88
    // "/C=US/ST=CA/O=Test Server/CN=client"
89
    // subjectKeyIdentifier    = hash
90
    // authorityKeyIdentifier  = keyid:always
91
    // keyUsage                = digitalSignature
92
    // subjectAltName          = DNS:client
93
    private static final String SERVER_CERT =
94
            "-----BEGIN CERTIFICATE-----\n" +
95
            "MIIB5TCCAYygAwIBAgIUNWe754lZoDc6wNs9Vsev/h9TMicwCgYIKoZIzj0EAwIw\n" +
96
            "PzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMSMwIQYDVQQKDBpUZXN0IEludGVy\n" +
97
            "bWVkaWF0ZSBDQSwgSW5jLjAgFw0yMjA0MTIwNzEzMzRaGA8yMTIyMDMxOTA3MTMz\n" +
98
            "NFowQTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtUZXN0IFNl\n" +
99
            "cnZlcjEPMA0GA1UEAwwGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\n" +
100
            "o6zUz5QmzmfHL2xRifvaJenggck/Dlu6KC4v4rGXug69R7tWKWuRUsbSFLy29Rii\n" +
101
            "F7V1wjFhsyGAzNyKf/KlmaNiMGAwHQYDVR0OBBYEFHz32VSnXBF4WdLDOe7e3hF9\n" +
102
            "yDxmMB8GA1UdIwQYMBaAFOo/qEHkhutqK+i3/NZIwqvxmQJXMAsGA1UdDwQEAwIH\n" +
103
            "gDARBgNVHREECjAIggZjbGllbnQwCgYIKoZIzj0EAwIDRwAwRAIgWsCn2LIElgVs\n" +
104
            "VihcQznvBemWneEcmnp/Bw+lwk86KQ8CIA3loL7P/0/Ft/xXtClxJfyxEoZ/Az1n\n" +
105
            "HTTjbe6ZnN0Y\n" +
106
            "-----END CERTIFICATE-----";
107

108
    private static final String serverkey =
109
            //"-----BEGIN PRIVATE KEY-----\n" +
110
            "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKb9cKLH++BgA9CL1\n" +
111
            "cdCLHpD0poPJ/uAkafGXDJBR67ChRANCAASjrNTPlCbOZ8cvbFGJ+9ol6eCByT8O\n" +
112
            "W7ooLi/isZe6Dr1Hu1Ypa5FSxtIUvLb1GKIXtXXCMWGzIYDM3Ip/8qWZ";
113
            // + "\n-----END PRIVATE KEY-----";
114

115
    private TestCertificates() {}
116

117
    public static KeyStore getKeyStore() throws GeneralSecurityException, IOException {
118
        KeyStore result = KeyStore.getInstance("JKS");
119
        result.load(null, null);
120
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
121
        Certificate serverCert = cf.generateCertificate(
122
                new ByteArrayInputStream(
123
                        TestCertificates.SERVER_CERT.getBytes(StandardCharsets.ISO_8859_1)));
124
        Certificate caCert = cf.generateCertificate(
125
                new ByteArrayInputStream(
126
                        CA_CERT.getBytes(StandardCharsets.ISO_8859_1)));
127
        KeyFactory kf = KeyFactory.getInstance("EC");
128
        PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(
129
                Base64.getMimeDecoder().decode(serverkey));
130
        Key key = kf.generatePrivate(ks);
131
        Certificate[] chain = {serverCert, caCert};
132

133
        result.setKeyEntry("server", key, new char[0], chain);
134
        return result;
135
    }
136

137
    public static KeyStore getTrustStore() throws GeneralSecurityException, IOException {
138
        KeyStore result = KeyStore.getInstance("JKS");
139
        result.load(null, null);
140
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
141
        Certificate rootcaCert = cf.generateCertificate(
142
                new ByteArrayInputStream(
143
                        ROOT_CA_CERT.getBytes(StandardCharsets.ISO_8859_1)));
144

145
        result.setCertificateEntry("testca", rootcaCert);
146
        return result;
147
    }
148
}
149

150