Path: blob/jdk8u272-b10-aarch32-20201026/jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java
48803 views
/*1* Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223//24// Security properties, once set, cannot revert to unset. To avoid25// conflicts with tests running in the same VM isolate this test by26// running it in otherVM mode.27//2829/**30* @test31* @bug 685274432* @summary PIT b61: PKI test suite fails because self signed certificates33* are being rejected34* @run main/othervm StatusLoopDependency subca35* @run main/othervm StatusLoopDependency subci36* @run main/othervm StatusLoopDependency alice37* @author Xuelei Fan38*/3940import java.io.*;41import java.net.SocketException;42import java.util.*;43import java.security.Security;44import java.security.cert.*;45import java.security.cert.CertPathValidatorException.BasicReason;46import sun.security.util.DerInputStream;4748/**49* KeyUsage extension plays a important rule during looking for the issuer50* of a certificate or CRL. A certificate issuer should have the keyCertSign51* bit set, and a CRL issuer should have the cRLSign bit set.52*53* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,54* as would be troublesome to find the proper CRL issuer during certificate55* path build if the delegated CRL issuer is a self-issued certificate, for56* it is hard to identify it from its issuer by the "issuer" field only.57*58* In the test case, the delegated CRL issuers have keyCertSign bit set, and59* the CAs have the cRLSign bit set also. If we cannot identify the delegated60* CRL issuer from its issuer, there is a potential loop to find the correct61* CRL.62*63* And when revocation enabled, needs to check the status of the delegated64* CRL issuers. If the delegated CRL issuer issues itself status, there is65* a potential loop to verify the CRL and check the status of delegated CRL66* issuer.67*68* The fix of 6852744 should addresses above issues.69*/70public final class StatusLoopDependency {7172// the trust anchor73static String selfSignedCertStr =74"-----BEGIN CERTIFICATE-----\n" +75"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +76"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +77"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +78"AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +79"81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +80"m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +81"AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +82"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +83"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +84"DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +85"ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +86"DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +87"v/E=\n" +88"-----END CERTIFICATE-----";8990// the sub-ca91static String subCaCertStr =92"-----BEGIN CERTIFICATE-----\n" +93"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +94"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +95"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +96"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +97"srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +98"+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +99"E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +100"KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +101"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +102"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +103"MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +104"RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +105"iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +106"-----END CERTIFICATE-----";107108// a delegated CRL issuer, it's a self-issued certificate of trust anchor109static String topCrlIssuerCertStr =110"-----BEGIN CERTIFICATE-----\n" +111"MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +112"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +113"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +114"AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +115"/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +116"hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +117"AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +118"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +119"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +120"DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +121"xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +122"rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +123"G0c=\n" +124"-----END CERTIFICATE-----";125126// a delegated CRL issuer, it's a self-issued certificate of sub-ca127static String subCrlIssuerCertStr =128"-----BEGIN CERTIFICATE-----\n" +129"MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +130"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +131"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +132"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +133"OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +134"obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +135"GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +136"xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +137"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +138"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +139"Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +140"pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +141"Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +142"-----END CERTIFICATE-----";143144// the target EE certificate145static String targetCertStr =146"-----BEGIN CERTIFICATE-----\n" +147"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +148"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +149"MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +150"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +151"9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +152"T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +153"1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +154"cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +155"uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +156"9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +157"yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +158"G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +159"-----END CERTIFICATE-----";160161// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr162static String topCrlStr =163"-----BEGIN X509 CRL-----\n" +164"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +165"ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX\n" +166"DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ\n" +167"KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1\n" +168"v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN\n" +169"GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=\n" +170"-----END X509 CRL-----";171172// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr173static String subCrlStr =174"-----BEGIN X509 CRL-----\n" +175"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +176"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw\n" +177"ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO\n" +178"MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO\n" +179"oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe\n" +180"5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr\n" +181"N9AvUXxGxU4DruoJuFPcrCI=\n" +182"-----END X509 CRL-----";183184private static Set<TrustAnchor> generateTrustAnchors()185throws CertificateException {186// generate certificate from cert string187CertificateFactory cf = CertificateFactory.getInstance("X.509");188189ByteArrayInputStream is =190new ByteArrayInputStream(selfSignedCertStr.getBytes());191Certificate selfSignedCert = cf.generateCertificate(is);192193// generate a trust anchor194TrustAnchor anchor =195new TrustAnchor((X509Certificate)selfSignedCert, null);196197return Collections.singleton(anchor);198}199200private static CertStore generateCertificateStore() throws Exception {201Collection entries = new HashSet();202203// generate certificate from certificate string204CertificateFactory cf = CertificateFactory.getInstance("X.509");205206ByteArrayInputStream is;207208is = new ByteArrayInputStream(targetCertStr.getBytes());209Certificate cert = cf.generateCertificate(is);210entries.add(cert);211212is = new ByteArrayInputStream(subCaCertStr.getBytes());213cert = cf.generateCertificate(is);214entries.add(cert);215216is = new ByteArrayInputStream(selfSignedCertStr.getBytes());217cert = cf.generateCertificate(is);218entries.add(cert);219220is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());221cert = cf.generateCertificate(is);222entries.add(cert);223224is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());225cert = cf.generateCertificate(is);226entries.add(cert);227228// generate CRL from CRL string229is = new ByteArrayInputStream(topCrlStr.getBytes());230Collection mixes = cf.generateCRLs(is);231entries.addAll(mixes);232233is = new ByteArrayInputStream(subCrlStr.getBytes());234mixes = cf.generateCRLs(is);235entries.addAll(mixes);236237return CertStore.getInstance("Collection",238new CollectionCertStoreParameters(entries));239}240241private static X509CertSelector generateSelector(String name)242throws Exception {243X509CertSelector selector = new X509CertSelector();244245// generate certificate from certificate string246CertificateFactory cf = CertificateFactory.getInstance("X.509");247ByteArrayInputStream is = null;248if (name.equals("subca")) {249is = new ByteArrayInputStream(subCaCertStr.getBytes());250} else if (name.equals("subci")) {251is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());252} else {253is = new ByteArrayInputStream(targetCertStr.getBytes());254}255256X509Certificate target = (X509Certificate)cf.generateCertificate(is);257byte[] extVal = target.getExtensionValue("2.5.29.14");258if (extVal != null) {259DerInputStream in = new DerInputStream(extVal);260byte[] subjectKID = in.getOctetString();261selector.setSubjectKeyIdentifier(subjectKID);262} else {263// unlikely to happen.264throw new Exception("unexpected certificate: no SKID extension");265}266267return selector;268}269270private static boolean match(String name, Certificate cert)271throws Exception {272X509CertSelector selector = new X509CertSelector();273274// generate certificate from certificate string275CertificateFactory cf = CertificateFactory.getInstance("X.509");276ByteArrayInputStream is = null;277if (name.equals("subca")) {278is = new ByteArrayInputStream(subCaCertStr.getBytes());279} else if (name.equals("subci")) {280is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());281} else {282is = new ByteArrayInputStream(targetCertStr.getBytes());283}284X509Certificate target = (X509Certificate)cf.generateCertificate(is);285286return target.equals(cert);287}288289290public static void main(String[] args) throws Exception {291// MD5 is used in this test case, don't disable MD5 algorithm.292Security.setProperty(293"jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024");294295CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");296297X509CertSelector selector = generateSelector(args[0]);298299Set<TrustAnchor> anchors = generateTrustAnchors();300CertStore certs = generateCertificateStore();301302303PKIXBuilderParameters params =304new PKIXBuilderParameters(anchors, selector);305params.addCertStore(certs);306params.setRevocationEnabled(true);307params.setDate(new Date(109, 7, 1)); // 2009-07-01308Security.setProperty("ocsp.enable", "false");309System.setProperty("com.sun.security.enableCRLDP", "true");310311PKIXCertPathBuilderResult result =312(PKIXCertPathBuilderResult)builder.build(params);313314if (!match(args[0], result.getCertPath().getCertificates().get(0))) {315throw new Exception("unexpected certificate");316}317}318}319320321