Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
 Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/sun/security/validator/EndEntityExtensionCheck.java
38838 views
1
/*

2
 * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.

8
 *

9
 * This code is distributed in the hope that it will be useful, but WITHOUT

10
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

11
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

12
 * version 2 for more details (a copy is included in the LICENSE file that

13
 * accompanied this code).

14
 *

15
 * You should have received a copy of the GNU General Public License version

16
 * 2 along with this work; if not, write to the Free Software Foundation,

17
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

18
 *

19
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

20
 * or visit www.oracle.com if you need additional information or have any

21
 * questions.

22
 */

23


24
/*

25
 * @test

26
 * @bug 8076117

27
 * @summary EndEntityChecker should not process custom extensions

28
 *          after PKIX validation

29
 * @run main/othervm -Djdk.security.allowNonCaAnchor EndEntityExtensionCheck

30
 */

31


32
import java.io.ByteArrayInputStream;

33
import java.io.File;

34
import java.io.FileInputStream;

35
import java.security.KeyStore;

36
import java.security.cert.CertPathValidatorException;

37
import java.security.cert.Certificate;

38
import java.security.cert.CertificateException;

39
import java.security.cert.CertificateFactory;

40
import java.security.cert.PKIXBuilderParameters;

41
import java.security.cert.PKIXCertPathChecker;

42
import java.security.cert.TrustAnchor;

43
import java.security.cert.X509Certificate;

44
import java.util.Collection;

45
import java.util.Date;

46
import java.util.HashSet;

47
import java.util.Set;

48
import sun.security.validator.TrustStoreUtil;

49
import sun.security.validator.Validator;

50


51


52
public class EndEntityExtensionCheck {

53


54
    /*

55
     * Owner: CN=TestCA

56
     * Issuer: CN=TestCA

57
     */

58
    private static final String CA =

59
        "-----BEGIN CERTIFICATE-----\n" +

60
        "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +

61
        "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" +

62
        "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +

63
        "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +

64
        "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +

65
        "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +

66
        "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +

67
        "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +

68
        "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" +

69
        "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" +

70
        "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" +

71
        "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" +

72
        "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" +

73
        "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" +

74
        "-----END CERTIFICATE-----";

75


76
    /*

77
     * Owner: CN=TestEE

78
     * Issuer: CN=TestCA

79
     * Contains a custom critical extension with OID 1.2.3.4:

80
     *    #1: ObjectId: 1.2.3.4 Criticality=true

81
     *    0000: 00 00

82
     */

83
    private static final String EE =

84
        "-----BEGIN CERTIFICATE-----\n" +

85
        "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +

86
        "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" +

87
        "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +

88
        "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +

89
        "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +

90
        "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +

91
        "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +

92
        "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +

93
        "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" +

94
        "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" +

95
        "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" +

96
        "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" +

97
        "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" +

98
        "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" +

99
        "3ZMpMAjITbuHHlFNUqZ7A9s=\n" +

100
        "-----END CERTIFICATE-----";

101


102
    public static void main(String[] args) throws Exception {

103
        X509Certificate[] chain = createChain();

104


105
        /* Test 1: Test SimpleValidator

106
         *  SimpleValidator doesn't check for unsupported critical

107
         *  extensions in the end entity certificate, and leaves that up

108
         *  to EndEntityChecker, which should catch such extensions.

109
         */

110
        KeyStore ks = KeyStore.getInstance("JKS");

111
        ks.load(null, null);

112
        ks.setCertificateEntry("testca", chain[chain.length - 1]);

113


114
        Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,

115
                                            Validator.VAR_TLS_CLIENT,

116
                                            TrustStoreUtil.getTrustedCerts(ks));

117
        try {

118
            v.validate(chain);

119
            throw new Exception("Chain should not have validated " +

120
                                "successfully.");

121
        } catch (CertificateException ex) {

122
            // EE cert has an unsupported critical extension that is not

123
            // checked by SimpleValidator's extension checks, so this

124
            // failure is expected

125
        }

126


127
        /* Test 2: Test PKIXValidator without custom checker

128
         * PKIXValidator accepts PKIXParameters that can contain

129
         * custom PKIXCertPathCheckers, which would be run against

130
         * each cert in the chain, including EE certs.

131
         * Check that if PKIXValidator is not provided a custom

132
         * PKIXCertPathChecker for an unknown critical extension in

133
         * the EE cert, chain validation will fail.

134
         */

135
        TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null);

136
        Set<TrustAnchor> tas = new HashSet<>();

137
        tas.add(ta);

138
        PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null);

139
        params.setDate(new Date(115, 5, 1));   // 2015-05-01

140
        params.setRevocationEnabled(false);

141


142
        v = Validator.getInstance(Validator.TYPE_PKIX,

143
                                  Validator.VAR_TLS_CLIENT,

144
                                  params);

145
        try {

146
            v.validate(chain);

147
            throw new Exception("Chain should not have validated " +

148
                                "successfully.");

149
        } catch (CertificateException ex) {

150
            // EE cert has an unsupported critical extension and

151
            // PKIXValidator was not provided any custom checker

152
            // for it, so this failure ie expected.

153
        }

154


155
        /* Test 3: Test PKIXValidator with custom checker

156
         * Check that PKIXValidator will successfully validate a chain

157
         * containing an EE cert with a critical custom extension, given

158
         * a corresponding PKIXCertPathChecker for the extension.

159
         */

160
        params = new PKIXBuilderParameters(tas, null);

161
        params.addCertPathChecker(new CustomChecker());

162
        params.setDate(new Date(115, 5, 1));   // 2015-05-01

163
        params.setRevocationEnabled(false);

164


165
        v = Validator.getInstance(Validator.TYPE_PKIX,

166
                                  Validator.VAR_TLS_CLIENT,

167
                                  params);

168
        v.validate(chain); // This should validate successfully

169


170
        System.out.println("Tests passed.");

171
    }

172


173
    public static X509Certificate[] createChain() throws Exception {

174
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

175
        X509Certificate ee = (X509Certificate)

176
            cf.generateCertificate((new ByteArrayInputStream(EE.getBytes())));

177
        X509Certificate ca = (X509Certificate)

178
            cf.generateCertificate((new ByteArrayInputStream(CA.getBytes())));

179


180
        X509Certificate[] chain = {ee, ca};

181
        return chain;

182
    }

183


184
    /*

185
     * A custom PKIXCertPathChecker. Looks for a critical extension

186
     * in an end entity certificate with the OID 1.2.3.4.

187
     */

188
    static class CustomChecker extends PKIXCertPathChecker {

189


190
        @Override

191
        public void init(boolean forward) throws CertPathValidatorException {

192
            // nothing to do

193
        }

194


195
        @Override

196
        public boolean isForwardCheckingSupported() {

197
            return false;

198
        }

199


200
        @Override

201
        public Set<String> getSupportedExtensions() {

202
            Set<String> exts = new HashSet<>();

203
            exts.add("1.2.3.4");

204
            return exts;

205
        }

206


207
        @Override

208
        public void check(Certificate cert,

209
                          Collection<String> unresolvedCritExts)

210
                throws CertPathValidatorException {

211
            X509Certificate currCert = (X509Certificate)cert;

212
            // check that this is an EE cert

213
            if (currCert.getBasicConstraints() == -1) {

214
                if (unresolvedCritExts != null &&

215
                        !unresolvedCritExts.isEmpty()) {

216
                    unresolvedCritExts.remove("1.2.3.4");

217
                }

218
            }

219
        }

220


221
    }

222
}

223


224