Path: blob/jdk8u272-b10-aarch32-20201026/jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
48803 views
/*1* Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223//24// Security properties, once set, cannot revert to unset. To avoid25// conflicts with tests running in the same VM isolate this test by26// running it in otherVM mode.27//2829/**30* @test31* @bug 6852744 813348932* @summary PIT b61: PKI test suite fails because self signed certificates33* are being rejected34* @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subca35* @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subci36* @run main/othervm -Djava.security.debug=certpath KeyUsageMatters alice37* @author Xuelei Fan38*/3940import java.io.*;41import java.net.SocketException;42import java.util.*;43import java.security.Security;44import java.security.cert.*;45import java.security.cert.CertPathValidatorException.BasicReason;46import sun.security.util.DerInputStream;4748/**49* KeyUsage extension plays a important rule during looking for the issuer50* of a certificate or CRL. A certificate issuer should have the keyCertSign51* bit set, and a CRL issuer should have the cRLSign bit set.52*53* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,54* as would be troublesome to find the proper CRL issuer during certificate55* path build if the delegated CRL issuer is a self-issued certificate, for56* it is hard to identify it from its issuer by the "issuer" field only.57*58* The fix of 6852744 should addresses above issue, and allow a delegated CRL59* issuer to have keyCertSign bit set.60*61* In the test case, the delegated CRL issuers have cRLSign bit set only, and62* the CAs have the keyCertSign bit set only, it is expected to work before63* and after the bug fix of 6852744.64*/65public final class KeyUsageMatters {6667// the trust anchor68static String selfSignedCertStr =69"-----BEGIN CERTIFICATE-----\n" +70"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +71"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +72"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +73"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +74"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +75"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +76"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +77"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +78"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +79"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +80"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +81"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +82"Vjw=\n" +83"-----END CERTIFICATE-----";8485// the sub-ca86static String subCaCertStr =87"-----BEGIN CERTIFICATE-----\n" +88"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +89"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +90"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +91"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +92"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +93"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +94"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +95"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +96"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +97"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +98"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +99"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +100"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +101"-----END CERTIFICATE-----";102103// a delegated CRL issuer, it's a self-issued certificate of trust anchor104static String topCrlIssuerCertStr =105"-----BEGIN CERTIFICATE-----\n" +106"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +107"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +108"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +109"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +110"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +111"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +112"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +113"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +114"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +115"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +116"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +117"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +118"-----END CERTIFICATE-----";119120// a delegated CRL issuer, it's a self-issued certificate of sub-ca121static String subCrlIssuerCertStr =122"-----BEGIN CERTIFICATE-----\n" +123"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +124"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +125"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +126"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +127"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +128"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +129"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +130"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +131"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +132"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +133"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +134"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +135"rg==\n" +136"-----END CERTIFICATE-----";137138// the target EE certificate139static String targetCertStr =140"-----BEGIN CERTIFICATE-----\n" +141"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +142"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +143"MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +144"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +145"9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +146"ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +147"V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +148"pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +149"4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +150"9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +151"wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +152"Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +153"-----END CERTIFICATE-----";154155// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr156static String topCrlStr =157"-----BEGIN X509 CRL-----\n" +158"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +159"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +160"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +161"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +162"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +163"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +164"-----END X509 CRL-----";165166// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr167static String subCrlStr =168"-----BEGIN X509 CRL-----\n" +169"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +170"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +171"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +172"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +173"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +174"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +175"ARGr6Qu68MYGtLMC6ZqP3u0=\n" +176"-----END X509 CRL-----";177178private static Set<TrustAnchor> generateTrustAnchors()179throws CertificateException {180// generate certificate from cert string181CertificateFactory cf = CertificateFactory.getInstance("X.509");182183ByteArrayInputStream is =184new ByteArrayInputStream(selfSignedCertStr.getBytes());185Certificate selfSignedCert = cf.generateCertificate(is);186187// generate a trust anchor188TrustAnchor anchor =189new TrustAnchor((X509Certificate)selfSignedCert, null);190191return Collections.singleton(anchor);192}193194private static CertStore generateCertificateStore() throws Exception {195Collection entries = new HashSet();196197// generate certificate from certificate string198CertificateFactory cf = CertificateFactory.getInstance("X.509");199200ByteArrayInputStream is;201202is = new ByteArrayInputStream(targetCertStr.getBytes());203Certificate cert = cf.generateCertificate(is);204entries.add(cert);205206is = new ByteArrayInputStream(subCaCertStr.getBytes());207cert = cf.generateCertificate(is);208entries.add(cert);209210is = new ByteArrayInputStream(selfSignedCertStr.getBytes());211cert = cf.generateCertificate(is);212entries.add(cert);213214is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());215cert = cf.generateCertificate(is);216entries.add(cert);217218is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());219cert = cf.generateCertificate(is);220entries.add(cert);221222// generate CRL from CRL string223is = new ByteArrayInputStream(topCrlStr.getBytes());224Collection mixes = cf.generateCRLs(is);225entries.addAll(mixes);226227is = new ByteArrayInputStream(subCrlStr.getBytes());228mixes = cf.generateCRLs(is);229entries.addAll(mixes);230231return CertStore.getInstance("Collection",232new CollectionCertStoreParameters(entries));233}234235private static X509CertSelector generateSelector(String name)236throws Exception {237X509CertSelector selector = new X509CertSelector();238239// generate certificate from certificate string240CertificateFactory cf = CertificateFactory.getInstance("X.509");241ByteArrayInputStream is = null;242if (name.equals("subca")) {243is = new ByteArrayInputStream(subCaCertStr.getBytes());244} else if (name.equals("subci")) {245is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());246} else {247is = new ByteArrayInputStream(targetCertStr.getBytes());248}249250X509Certificate target = (X509Certificate)cf.generateCertificate(is);251byte[] extVal = target.getExtensionValue("2.5.29.14");252if (extVal != null) {253DerInputStream in = new DerInputStream(extVal);254byte[] subjectKID = in.getOctetString();255selector.setSubjectKeyIdentifier(subjectKID);256} else {257// unlikely to happen.258throw new Exception("unexpected certificate: no SKID extension");259}260261return selector;262}263264private static boolean match(String name, Certificate cert)265throws Exception {266X509CertSelector selector = new X509CertSelector();267268// generate certificate from certificate string269CertificateFactory cf = CertificateFactory.getInstance("X.509");270ByteArrayInputStream is = null;271if (name.equals("subca")) {272is = new ByteArrayInputStream(subCaCertStr.getBytes());273} else if (name.equals("subci")) {274is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());275} else {276is = new ByteArrayInputStream(targetCertStr.getBytes());277}278X509Certificate target = (X509Certificate)cf.generateCertificate(is);279280return target.equals(cert);281}282283284public static void main(String[] args) throws Exception {285// MD5 is used in this test case, don't disable MD5 algorithm.286Security.setProperty(287"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");288289CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");290291X509CertSelector selector = generateSelector(args[0]);292293Set<TrustAnchor> anchors = generateTrustAnchors();294CertStore certs = generateCertificateStore();295296297PKIXBuilderParameters params =298new PKIXBuilderParameters(anchors, selector);299params.addCertStore(certs);300params.setRevocationEnabled(true);301params.setDate(new Date(109, 5, 1)); // 2009-05-01302Security.setProperty("ocsp.enable", "false");303System.setProperty("com.sun.security.enableCRLDP", "true");304305PKIXCertPathBuilderResult result =306(PKIXCertPathBuilderResult)builder.build(params);307308if (!match(args[0], result.getCertPath().getCertificates().get(0))) {309throw new Exception("unexpected certificate");310}311}312}313314315