Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java
38860 views
/*1* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223import java.io.*;24import java.math.BigInteger;25import java.security.*;26import java.security.cert.*;27import java.time.*;28import java.util.*;29import javax.net.ssl.*;30import sun.security.validator.Validator;31import sun.security.validator.ValidatorException;3233/**34* @test35* @bug 8207258 821628036* @summary Check that TLS Server certificates chaining back to distrusted37* Symantec roots are invalid38* @library /lib/security39* @run main/othervm Distrust after policyOn invalid40* @run main/othervm Distrust after policyOff valid41* @run main/othervm Distrust before policyOn valid42* @run main/othervm Distrust before policyOff valid43*/4445public class Distrust {4647private static final String TEST_SRC = System.getProperty("test.src", ".");48private static CertificateFactory cf;4950// Each of the roots have a test certificate chain stored in a file51// named "<root>-chain.pem".52private static String[] rootsToTest = new String[] {53"geotrustglobalca", "geotrustprimarycag2", "geotrustprimarycag3",54"geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2",55"thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",56"verisignclass3g5ca", "verisignuniversalrootca" };5758// Each of the subCAs with a delayed distrust date have a test certificate59// chain stored in a file named "<subCA>-chain.pem".60private static String[] subCAsToTest = new String[] {61"appleistca2g1", "appleistca8g1" };6263// A date that is after the restrictions take affect64private static final Date APRIL_17_2019 =65Date.from(LocalDate.of(2019, 4, 17)66.atStartOfDay(ZoneOffset.UTC)67.toInstant());6869// A date that is a second before the restrictions take affect70private static final Date BEFORE_APRIL_17_2019 =71Date.from(LocalDate.of(2019, 4, 17)72.atStartOfDay(ZoneOffset.UTC)73.minusSeconds(1)74.toInstant());7576// A date that is after the subCA restrictions take affect77private static final Date JANUARY_1_2020 =78Date.from(LocalDate.of(2020, 1, 1)79.atStartOfDay(ZoneOffset.UTC)80.toInstant());8182// A date that is a second before the subCA restrictions take affect83private static final Date BEFORE_JANUARY_1_2020 =84Date.from(LocalDate.of(2020, 1, 1)85.atStartOfDay(ZoneOffset.UTC)86.minusSeconds(1)87.toInstant());8889public static void main(String[] args) throws Exception {9091cf = CertificateFactory.getInstance("X.509");9293boolean before = args[0].equals("before");94boolean policyOn = args[1].equals("policyOn");95boolean isValid = args[2].equals("valid");9697if (!policyOn) {98// disable policy (default is on)99Security.setProperty("jdk.security.caDistrustPolicies", "");100}101102Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;103104X509TrustManager pkixTM = getTMF("PKIX", null);105X509TrustManager sunX509TM = getTMF("SunX509", null);106for (String test : rootsToTest) {107System.err.println("Testing " + test);108X509Certificate[] chain = loadCertificateChain(test);109110testTM(sunX509TM, chain, notBefore, isValid);111testTM(pkixTM, chain, notBefore, isValid);112}113114// test chain if params are passed to TrustManager115System.err.println("Testing verisignuniversalrootca with params");116testTM(getTMF("PKIX", getParams()),117loadCertificateChain("verisignuniversalrootca"),118notBefore, isValid);119120// test code-signing chain (should be valid as restrictions don't apply)121System.err.println("Testing verisignclass3g5ca code-signing chain");122Validator v = Validator.getInstance(Validator.TYPE_PKIX,123Validator.VAR_CODE_SIGNING,124getParams());125// set validation date so this will still pass when cert expires126v.setValidationDate(new Date(1544197375493l));127v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));128129// test chains issued through subCAs130notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;131for (String test : subCAsToTest) {132System.err.println("Testing " + test);133X509Certificate[] chain = loadCertificateChain(test);134135testTM(sunX509TM, chain, notBefore, isValid);136testTM(pkixTM, chain, notBefore, isValid);137}138}139140private static X509TrustManager getTMF(String type,141PKIXBuilderParameters params) throws Exception {142TrustManagerFactory tmf = TrustManagerFactory.getInstance(type);143if (params == null) {144tmf.init((KeyStore)null);145} else {146tmf.init(new CertPathTrustManagerParameters(params));147}148TrustManager[] tms = tmf.getTrustManagers();149for (TrustManager tm : tms) {150X509TrustManager xtm = (X509TrustManager)tm;151return xtm;152}153throw new Exception("No TrustManager for " + type);154}155156private static PKIXBuilderParameters getParams() throws Exception {157PKIXBuilderParameters pbp =158new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(),159new X509CertSelector());160pbp.setRevocationEnabled(false);161return pbp;162}163164private static void testTM(X509TrustManager xtm, X509Certificate[] chain,165Date notBefore, boolean valid) throws Exception {166// Check if TLS Server certificate (the first element of the chain)167// is issued after the specified notBefore date (should be rejected168// unless distrust property is false). To do this, we need to169// fake the notBefore date since none of the test certs are issued170// after then.171chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);172173try {174xtm.checkServerTrusted(chain, "ECDHE_RSA");175if (!valid) {176throw new Exception("chain should be invalid");177}178} catch (CertificateException ce) {179if (valid) {180throw new Exception("Unexpected exception, chain " +181"should be valid", ce);182}183if (ce instanceof ValidatorException) {184ValidatorException ve = (ValidatorException)ce;185if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) {186throw new Exception("Unexpected exception: " + ce);187}188} else {189throw new Exception("Unexpected exception: " + ce);190}191}192}193194private static X509Certificate[] loadCertificateChain(String name)195throws Exception {196try (InputStream in = new FileInputStream(TEST_SRC + File.separator +197name + "-chain.pem")) {198Collection<X509Certificate> certs =199(Collection<X509Certificate>)cf.generateCertificates(in);200return certs.toArray(new X509Certificate[0]);201}202}203204private static class DistrustedTLSServerCert extends X509Certificate {205private final X509Certificate cert;206private final Date notBefore;207DistrustedTLSServerCert(X509Certificate cert, Date notBefore) {208this.cert = cert;209this.notBefore = notBefore;210}211public Set<String> getCriticalExtensionOIDs() {212return cert.getCriticalExtensionOIDs();213}214public byte[] getExtensionValue(String oid) {215return cert.getExtensionValue(oid);216}217public Set<String> getNonCriticalExtensionOIDs() {218return cert.getNonCriticalExtensionOIDs();219}220public boolean hasUnsupportedCriticalExtension() {221return cert.hasUnsupportedCriticalExtension();222}223public void checkValidity() throws CertificateExpiredException,224CertificateNotYetValidException {225// always pass226}227public void checkValidity(Date date) throws CertificateExpiredException,228CertificateNotYetValidException {229// always pass230}231public int getVersion() { return cert.getVersion(); }232public BigInteger getSerialNumber() { return cert.getSerialNumber(); }233public Principal getIssuerDN() { return cert.getIssuerDN(); }234public Principal getSubjectDN() { return cert.getSubjectDN(); }235public Date getNotBefore() { return notBefore; }236public Date getNotAfter() { return cert.getNotAfter(); }237public byte[] getTBSCertificate() throws CertificateEncodingException {238return cert.getTBSCertificate();239}240public byte[] getSignature() { return cert.getSignature(); }241public String getSigAlgName() { return cert.getSigAlgName(); }242public String getSigAlgOID() { return cert.getSigAlgOID(); }243public byte[] getSigAlgParams() { return cert.getSigAlgParams(); }244public boolean[] getIssuerUniqueID() {245return cert.getIssuerUniqueID();246}247public boolean[] getSubjectUniqueID() {248return cert.getSubjectUniqueID();249}250public boolean[] getKeyUsage() { return cert.getKeyUsage(); }251public int getBasicConstraints() { return cert.getBasicConstraints(); }252public byte[] getEncoded() throws CertificateEncodingException {253return cert.getEncoded();254}255public void verify(PublicKey key) throws CertificateException,256InvalidKeyException, NoSuchAlgorithmException,257NoSuchProviderException, SignatureException {258cert.verify(key);259}260public void verify(PublicKey key, String sigProvider) throws261CertificateException, InvalidKeyException, NoSuchAlgorithmException,262NoSuchProviderException, SignatureException {263cert.verify(key, sigProvider);264}265public PublicKey getPublicKey() { return cert.getPublicKey(); }266public String toString() { return cert.toString(); }267}268}269270271