50768
|
1 |
/*
|
|
2 |
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
|
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
7 |
* published by the Free Software Foundation.
|
|
8 |
*
|
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
13 |
* accompanied this code).
|
|
14 |
*
|
|
15 |
* You should have received a copy of the GNU General Public License version
|
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
18 |
*
|
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
20 |
* or visit www.oracle.com if you need additional information or have any
|
|
21 |
* questions.
|
|
22 |
*/
|
|
23 |
|
|
24 |
package sun.security.ssl;
|
|
25 |
|
|
26 |
import java.io.IOException;
|
|
27 |
import java.math.BigInteger;
|
|
28 |
import java.security.cert.*;
|
|
29 |
import java.util.*;
|
|
30 |
import java.security.KeyPair;
|
|
31 |
import java.security.KeyPairGenerator;
|
|
32 |
import java.security.KeyStore;
|
|
33 |
import java.security.PublicKey;
|
|
34 |
import java.util.concurrent.TimeUnit;
|
|
35 |
|
|
36 |
import sun.security.testlibrary.SimpleOCSPServer;
|
|
37 |
import sun.security.testlibrary.CertificateBuilder;
|
|
38 |
|
|
39 |
import static sun.security.ssl.CertStatusExtension.*;
|
|
40 |
|
|
41 |
/*
|
|
42 |
* Checks that the hash value for a certificate's issuer name is generated
|
|
43 |
* correctly. Requires any certificate that is not self-signed.
|
|
44 |
*
|
|
45 |
* NOTE: this test uses Sun private classes which are subject to change.
|
|
46 |
*/
|
|
47 |
public class StatusResponseManagerTests {
|
|
48 |
|
|
49 |
private static final boolean debug = true;
|
|
50 |
private static final boolean ocspDebug = false;
|
|
51 |
|
|
52 |
// PKI components we will need for this test
|
|
53 |
static String passwd = "passphrase";
|
|
54 |
static String ROOT_ALIAS = "root";
|
|
55 |
static String INT_ALIAS = "intermediate";
|
|
56 |
static String SSL_ALIAS = "ssl";
|
|
57 |
static KeyStore rootKeystore; // Root CA Keystore
|
|
58 |
static KeyStore intKeystore; // Intermediate CA Keystore
|
|
59 |
static KeyStore serverKeystore; // SSL Server Keystore
|
|
60 |
static KeyStore trustStore; // SSL Client trust store
|
|
61 |
static X509Certificate rootCert;
|
|
62 |
static X509Certificate intCert;
|
|
63 |
static X509Certificate sslCert;
|
|
64 |
static SimpleOCSPServer rootOcsp; // Root CA OCSP Responder
|
|
65 |
static int rootOcspPort; // Port number for root OCSP
|
|
66 |
static SimpleOCSPServer intOcsp; // Intermediate CA OCSP Responder
|
|
67 |
static int intOcspPort; // Port number for intermed. OCSP
|
|
68 |
|
|
69 |
static X509Certificate[] chain;
|
|
70 |
|
|
71 |
public static void main(String[] args) throws Exception {
|
|
72 |
Map<String, TestCase> testList =
|
|
73 |
new LinkedHashMap<String, TestCase>() {{
|
|
74 |
put("Basic OCSP fetch test", testOcspFetch);
|
|
75 |
put("Clear StatusResponseManager cache", testClearSRM);
|
|
76 |
put("Basic OCSP_MULTI fetch test", testOcspMultiFetch);
|
|
77 |
put("Test Cache Expiration", testCacheExpiry);
|
|
78 |
}};
|
|
79 |
|
|
80 |
// Create the CAs and OCSP responders
|
|
81 |
createPKI();
|
|
82 |
|
|
83 |
// Grab the certificates and make a chain we can reuse for tests
|
|
84 |
sslCert = (X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
|
|
85 |
intCert = (X509Certificate)intKeystore.getCertificate(INT_ALIAS);
|
|
86 |
rootCert = (X509Certificate)rootKeystore.getCertificate(ROOT_ALIAS);
|
|
87 |
chain = new X509Certificate[3];
|
|
88 |
chain[0] = sslCert;
|
|
89 |
chain[1] = intCert;
|
|
90 |
chain[2] = rootCert;
|
|
91 |
|
|
92 |
runTests(testList);
|
|
93 |
|
|
94 |
intOcsp.stop();
|
|
95 |
rootOcsp.stop();
|
|
96 |
}
|
|
97 |
|
|
98 |
// Test a simple RFC 6066 server-side fetch
|
|
99 |
public static final TestCase testOcspFetch = new TestCase() {
|
|
100 |
@Override
|
|
101 |
public Map.Entry<Boolean, String> runTest() {
|
|
102 |
StatusResponseManager srm = new StatusResponseManager();
|
|
103 |
Boolean pass = Boolean.FALSE;
|
|
104 |
String message = null;
|
|
105 |
CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP;
|
|
106 |
|
|
107 |
try {
|
|
108 |
// Get OCSP responses for non-root certs in the chain
|
|
109 |
Map<X509Certificate, byte[]> responseMap = srm.get(
|
|
110 |
CertStatusRequestType.OCSP, oReq, chain, 5000,
|
|
111 |
TimeUnit.MILLISECONDS);
|
|
112 |
|
|
113 |
// There should be one entry in the returned map and
|
|
114 |
// one entry in the cache when the operation is complete.
|
|
115 |
if (responseMap.size() != 1) {
|
|
116 |
message = "Incorrect number of responses: expected 1, got "
|
|
117 |
+ responseMap.size();
|
|
118 |
} else if (!responseMap.containsKey(sslCert)) {
|
|
119 |
message = "Response map key is incorrect, expected " +
|
|
120 |
sslCert.getSubjectX500Principal().toString();
|
|
121 |
} else if (srm.size() != 1) {
|
|
122 |
message = "Incorrect number of cache entries: " +
|
|
123 |
"expected 1, got " + srm.size();
|
|
124 |
} else {
|
|
125 |
pass = Boolean.TRUE;
|
|
126 |
}
|
|
127 |
} catch (Exception e) {
|
|
128 |
e.printStackTrace(System.out);
|
|
129 |
message = e.getClass().getName();
|
|
130 |
}
|
|
131 |
|
|
132 |
return new AbstractMap.SimpleEntry<>(pass, message);
|
|
133 |
}
|
|
134 |
};
|
|
135 |
|
|
136 |
// Test clearing the StatusResponseManager cache.
|
|
137 |
public static final TestCase testClearSRM = new TestCase() {
|
|
138 |
@Override
|
|
139 |
public Map.Entry<Boolean, String> runTest() {
|
|
140 |
StatusResponseManager srm = new StatusResponseManager();
|
|
141 |
Boolean pass = Boolean.FALSE;
|
|
142 |
String message = null;
|
|
143 |
CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
|
|
144 |
|
|
145 |
try {
|
|
146 |
// Get OCSP responses for non-root certs in the chain
|
|
147 |
srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
|
|
148 |
TimeUnit.MILLISECONDS);
|
|
149 |
|
|
150 |
// There should be two entries in the returned map and
|
|
151 |
// two entries in the cache when the operation is complete.
|
|
152 |
if (srm.size() != 2) {
|
|
153 |
message = "Incorrect number of responses: expected 2, got "
|
|
154 |
+ srm.size();
|
|
155 |
} else {
|
|
156 |
// Next, clear the SRM, then check the size again
|
|
157 |
srm.clear();
|
|
158 |
if (srm.size() != 0) {
|
|
159 |
message = "Incorrect number of responses: expected 0," +
|
|
160 |
" got " + srm.size();
|
|
161 |
} else {
|
|
162 |
pass = Boolean.TRUE;
|
|
163 |
}
|
|
164 |
}
|
|
165 |
} catch (Exception e) {
|
|
166 |
e.printStackTrace(System.out);
|
|
167 |
message = e.getClass().getName();
|
|
168 |
}
|
|
169 |
|
|
170 |
return new AbstractMap.SimpleEntry<>(pass, message);
|
|
171 |
}
|
|
172 |
};
|
|
173 |
|
|
174 |
// Test a simple RFC 6961 server-side fetch
|
|
175 |
public static final TestCase testOcspMultiFetch = new TestCase() {
|
|
176 |
@Override
|
|
177 |
public Map.Entry<Boolean, String> runTest() {
|
|
178 |
StatusResponseManager srm = new StatusResponseManager();
|
|
179 |
Boolean pass = Boolean.FALSE;
|
|
180 |
String message = null;
|
|
181 |
CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
|
|
182 |
|
|
183 |
try {
|
|
184 |
// Get OCSP responses for non-root certs in the chain
|
|
185 |
Map<X509Certificate, byte[]> responseMap = srm.get(
|
|
186 |
CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
|
|
187 |
TimeUnit.MILLISECONDS);
|
|
188 |
|
|
189 |
// There should be two entries in the returned map and
|
|
190 |
// two entries in the cache when the operation is complete.
|
|
191 |
if (responseMap.size() != 2) {
|
|
192 |
message = "Incorrect number of responses: expected 2, got "
|
|
193 |
+ responseMap.size();
|
|
194 |
} else if (!responseMap.containsKey(sslCert) ||
|
|
195 |
!responseMap.containsKey(intCert)) {
|
|
196 |
message = "Response map keys are incorrect, expected " +
|
|
197 |
sslCert.getSubjectX500Principal().toString() +
|
|
198 |
" and " +
|
|
199 |
intCert.getSubjectX500Principal().toString();
|
|
200 |
} else if (srm.size() != 2) {
|
|
201 |
message = "Incorrect number of cache entries: " +
|
|
202 |
"expected 2, got " + srm.size();
|
|
203 |
} else {
|
|
204 |
pass = Boolean.TRUE;
|
|
205 |
}
|
|
206 |
} catch (Exception e) {
|
|
207 |
e.printStackTrace(System.out);
|
|
208 |
message = e.getClass().getName();
|
|
209 |
}
|
|
210 |
|
|
211 |
return new AbstractMap.SimpleEntry<>(pass, message);
|
|
212 |
}
|
|
213 |
};
|
|
214 |
|
|
215 |
// Test cache expiration
|
|
216 |
public static final TestCase testCacheExpiry = new TestCase() {
|
|
217 |
@Override
|
|
218 |
public Map.Entry<Boolean, String> runTest() {
|
|
219 |
// For this test, we will set the cache expiry to 5 seconds
|
|
220 |
System.setProperty("jdk.tls.stapling.cacheLifetime", "5");
|
|
221 |
StatusResponseManager srm = new StatusResponseManager();
|
|
222 |
Boolean pass = Boolean.FALSE;
|
|
223 |
String message = null;
|
|
224 |
CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
|
|
225 |
|
|
226 |
try {
|
|
227 |
// Get OCSP responses for non-root certs in the chain
|
|
228 |
srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
|
|
229 |
TimeUnit.MILLISECONDS);
|
|
230 |
|
|
231 |
// There should be two entries in the returned map and
|
|
232 |
// two entries in the cache when the operation is complete.
|
|
233 |
if (srm.size() != 2) {
|
|
234 |
message = "Incorrect number of responses: expected 2, got "
|
|
235 |
+ srm.size();
|
|
236 |
} else {
|
|
237 |
// Next, wait for more than 5 seconds so the responses
|
|
238 |
// in the SRM will expire.
|
|
239 |
Thread.sleep(7000);
|
|
240 |
if (srm.size() != 0) {
|
|
241 |
message = "Incorrect number of responses: expected 0," +
|
|
242 |
" got " + srm.size();
|
|
243 |
} else {
|
|
244 |
pass = Boolean.TRUE;
|
|
245 |
}
|
|
246 |
}
|
|
247 |
} catch (Exception e) {
|
|
248 |
e.printStackTrace(System.out);
|
|
249 |
message = e.getClass().getName();
|
|
250 |
}
|
|
251 |
|
|
252 |
// Set the cache lifetime back to the default
|
|
253 |
System.setProperty("jdk.tls.stapling.cacheLifetime", "");
|
|
254 |
return new AbstractMap.SimpleEntry<>(pass, message);
|
|
255 |
}
|
|
256 |
};
|
|
257 |
|
|
258 |
/**
|
|
259 |
* Creates the PKI components necessary for this test, including
|
|
260 |
* Root CA, Intermediate CA and SSL server certificates, the keystores
|
|
261 |
* for each entity, a client trust store, and starts the OCSP responders.
|
|
262 |
*/
|
|
263 |
private static void createPKI() throws Exception {
|
|
264 |
CertificateBuilder cbld = new CertificateBuilder();
|
|
265 |
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
|
|
266 |
keyGen.initialize(2048);
|
|
267 |
KeyStore.Builder keyStoreBuilder =
|
|
268 |
KeyStore.Builder.newInstance("PKCS12", null,
|
|
269 |
new KeyStore.PasswordProtection(passwd.toCharArray()));
|
|
270 |
|
|
271 |
// Generate Root, IntCA, EE keys
|
|
272 |
KeyPair rootCaKP = keyGen.genKeyPair();
|
|
273 |
log("Generated Root CA KeyPair");
|
|
274 |
KeyPair intCaKP = keyGen.genKeyPair();
|
|
275 |
log("Generated Intermediate CA KeyPair");
|
|
276 |
KeyPair sslKP = keyGen.genKeyPair();
|
|
277 |
log("Generated SSL Cert KeyPair");
|
|
278 |
|
|
279 |
// Set up the Root CA Cert
|
|
280 |
cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
|
|
281 |
cbld.setPublicKey(rootCaKP.getPublic());
|
|
282 |
cbld.setSerialNumber(new BigInteger("1"));
|
|
283 |
// Make a 3 year validity starting from 60 days ago
|
|
284 |
long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
|
|
285 |
long end = start + TimeUnit.DAYS.toMillis(1085);
|
|
286 |
cbld.setValidity(new Date(start), new Date(end));
|
|
287 |
addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
|
|
288 |
addCommonCAExts(cbld);
|
|
289 |
// Make our Root CA Cert!
|
|
290 |
X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
|
|
291 |
"SHA256withRSA");
|
|
292 |
log("Root CA Created:\n" + certInfo(rootCert));
|
|
293 |
|
|
294 |
// Now build a keystore and add the keys and cert
|
|
295 |
rootKeystore = keyStoreBuilder.getKeyStore();
|
|
296 |
Certificate[] rootChain = {rootCert};
|
|
297 |
rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
|
|
298 |
passwd.toCharArray(), rootChain);
|
|
299 |
|
|
300 |
// Now fire up the OCSP responder
|
|
301 |
rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
|
|
302 |
rootOcsp.enableLog(ocspDebug);
|
|
303 |
rootOcsp.setNextUpdateInterval(3600);
|
|
304 |
rootOcsp.start();
|
|
305 |
|
|
306 |
// Wait 5 seconds for server ready
|
|
307 |
for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
|
|
308 |
Thread.sleep(50);
|
|
309 |
}
|
|
310 |
if (!rootOcsp.isServerReady()) {
|
|
311 |
throw new RuntimeException("Server not ready yet");
|
|
312 |
}
|
|
313 |
|
|
314 |
rootOcspPort = rootOcsp.getPort();
|
|
315 |
String rootRespURI = "http://localhost:" + rootOcspPort;
|
|
316 |
log("Root OCSP Responder URI is " + rootRespURI);
|
|
317 |
|
|
318 |
// Now that we have the root keystore and OCSP responder we can
|
|
319 |
// create our intermediate CA.
|
|
320 |
cbld.reset();
|
|
321 |
cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
|
|
322 |
cbld.setPublicKey(intCaKP.getPublic());
|
|
323 |
cbld.setSerialNumber(new BigInteger("100"));
|
|
324 |
// Make a 2 year validity starting from 30 days ago
|
|
325 |
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
|
|
326 |
end = start + TimeUnit.DAYS.toMillis(730);
|
|
327 |
cbld.setValidity(new Date(start), new Date(end));
|
|
328 |
addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
|
|
329 |
addCommonCAExts(cbld);
|
|
330 |
cbld.addAIAExt(Collections.singletonList(rootRespURI));
|
|
331 |
// Make our Intermediate CA Cert!
|
|
332 |
X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
|
|
333 |
"SHA256withRSA");
|
|
334 |
log("Intermediate CA Created:\n" + certInfo(intCaCert));
|
|
335 |
|
|
336 |
// Provide intermediate CA cert revocation info to the Root CA
|
|
337 |
// OCSP responder.
|
|
338 |
Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
|
|
339 |
new HashMap<>();
|
|
340 |
revInfo.put(intCaCert.getSerialNumber(),
|
|
341 |
new SimpleOCSPServer.CertStatusInfo(
|
|
342 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
|
|
343 |
rootOcsp.updateStatusDb(revInfo);
|
|
344 |
|
|
345 |
// Now build a keystore and add the keys, chain and root cert as a TA
|
|
346 |
intKeystore = keyStoreBuilder.getKeyStore();
|
|
347 |
Certificate[] intChain = {intCaCert, rootCert};
|
|
348 |
intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
|
|
349 |
passwd.toCharArray(), intChain);
|
|
350 |
intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
|
|
351 |
|
|
352 |
// Now fire up the Intermediate CA OCSP responder
|
|
353 |
intOcsp = new SimpleOCSPServer(intKeystore, passwd,
|
|
354 |
INT_ALIAS, null);
|
|
355 |
intOcsp.enableLog(ocspDebug);
|
|
356 |
intOcsp.setNextUpdateInterval(3600);
|
|
357 |
intOcsp.start();
|
|
358 |
|
|
359 |
// Wait 5 seconds for server ready
|
|
360 |
for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
|
|
361 |
Thread.sleep(50);
|
|
362 |
}
|
|
363 |
if (!intOcsp.isServerReady()) {
|
|
364 |
throw new RuntimeException("Server not ready yet");
|
|
365 |
}
|
|
366 |
|
|
367 |
intOcspPort = intOcsp.getPort();
|
|
368 |
String intCaRespURI = "http://localhost:" + intOcspPort;
|
|
369 |
log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
|
|
370 |
|
|
371 |
// Last but not least, let's make our SSLCert and add it to its own
|
|
372 |
// Keystore
|
|
373 |
cbld.reset();
|
|
374 |
cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
|
|
375 |
cbld.setPublicKey(sslKP.getPublic());
|
|
376 |
cbld.setSerialNumber(new BigInteger("4096"));
|
|
377 |
// Make a 1 year validity starting from 7 days ago
|
|
378 |
start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
|
|
379 |
end = start + TimeUnit.DAYS.toMillis(365);
|
|
380 |
cbld.setValidity(new Date(start), new Date(end));
|
|
381 |
|
|
382 |
// Add extensions
|
|
383 |
addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
|
|
384 |
boolean[] kuBits = {true, false, true, false, false, false,
|
|
385 |
false, false, false};
|
|
386 |
cbld.addKeyUsageExt(kuBits);
|
|
387 |
List<String> ekuOids = new ArrayList<>();
|
|
388 |
ekuOids.add("1.3.6.1.5.5.7.3.1");
|
|
389 |
ekuOids.add("1.3.6.1.5.5.7.3.2");
|
|
390 |
cbld.addExtendedKeyUsageExt(ekuOids);
|
|
391 |
cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
|
|
392 |
cbld.addAIAExt(Collections.singletonList(intCaRespURI));
|
|
393 |
// Make our SSL Server Cert!
|
|
394 |
X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
|
|
395 |
"SHA256withRSA");
|
|
396 |
log("SSL Certificate Created:\n" + certInfo(sslCert));
|
|
397 |
|
|
398 |
// Provide SSL server cert revocation info to the Intermeidate CA
|
|
399 |
// OCSP responder.
|
|
400 |
revInfo = new HashMap<>();
|
|
401 |
revInfo.put(sslCert.getSerialNumber(),
|
|
402 |
new SimpleOCSPServer.CertStatusInfo(
|
|
403 |
SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
|
|
404 |
intOcsp.updateStatusDb(revInfo);
|
|
405 |
|
|
406 |
// Now build a keystore and add the keys, chain and root cert as a TA
|
|
407 |
serverKeystore = keyStoreBuilder.getKeyStore();
|
|
408 |
Certificate[] sslChain = {sslCert, intCaCert, rootCert};
|
|
409 |
serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
|
|
410 |
passwd.toCharArray(), sslChain);
|
|
411 |
serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
|
|
412 |
|
|
413 |
// And finally a Trust Store for the client
|
|
414 |
trustStore = keyStoreBuilder.getKeyStore();
|
|
415 |
trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
|
|
416 |
}
|
|
417 |
|
|
418 |
private static void addCommonExts(CertificateBuilder cbld,
|
|
419 |
PublicKey subjKey, PublicKey authKey) throws IOException {
|
|
420 |
cbld.addSubjectKeyIdExt(subjKey);
|
|
421 |
cbld.addAuthorityKeyIdExt(authKey);
|
|
422 |
}
|
|
423 |
|
|
424 |
private static void addCommonCAExts(CertificateBuilder cbld)
|
|
425 |
throws IOException {
|
|
426 |
cbld.addBasicConstraintsExt(true, true, -1);
|
|
427 |
// Set key usage bits for digitalSignature, keyCertSign and cRLSign
|
|
428 |
boolean[] kuBitSettings = {true, false, false, false, false, true,
|
|
429 |
true, false, false};
|
|
430 |
cbld.addKeyUsageExt(kuBitSettings);
|
|
431 |
}
|
|
432 |
|
|
433 |
/**
|
|
434 |
* Helper routine that dumps only a few cert fields rather than
|
|
435 |
* the whole toString() output.
|
|
436 |
*
|
|
437 |
* @param cert An X509Certificate to be displayed
|
|
438 |
*
|
|
439 |
* @return The {@link String} output of the issuer, subject and
|
|
440 |
* serial number
|
|
441 |
*/
|
|
442 |
private static String certInfo(X509Certificate cert) {
|
|
443 |
StringBuilder sb = new StringBuilder();
|
|
444 |
sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
|
|
445 |
append("\n");
|
|
446 |
sb.append("Subject: ").append(cert.getSubjectX500Principal()).
|
|
447 |
append("\n");
|
|
448 |
sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
|
|
449 |
return sb.toString();
|
|
450 |
}
|
|
451 |
|
|
452 |
/**
|
|
453 |
* Log a message on stdout
|
|
454 |
*
|
|
455 |
* @param message The message to log
|
|
456 |
*/
|
|
457 |
private static void log(String message) {
|
|
458 |
if (debug) {
|
|
459 |
System.out.println(message);
|
|
460 |
}
|
|
461 |
}
|
|
462 |
|
|
463 |
public static void runTests(Map<String, TestCase> testList) {
|
|
464 |
int testNo = 0;
|
|
465 |
int numberFailed = 0;
|
|
466 |
Map.Entry<Boolean, String> result;
|
|
467 |
|
|
468 |
System.out.println("============ Tests ============");
|
|
469 |
for (String testName : testList.keySet()) {
|
|
470 |
System.out.println("Test " + ++testNo + ": " + testName);
|
|
471 |
result = testList.get(testName).runTest();
|
|
472 |
System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL"));
|
|
473 |
System.out.println(" " +
|
|
474 |
(result.getValue() != null ? result.getValue() : ""));
|
|
475 |
System.out.println("-------------------------------------------");
|
|
476 |
if (!result.getKey()) {
|
|
477 |
numberFailed++;
|
|
478 |
}
|
|
479 |
}
|
|
480 |
|
|
481 |
System.out.println("End Results: " + (testList.size() - numberFailed) +
|
|
482 |
" Passed" + ", " + numberFailed + " Failed.");
|
|
483 |
if (numberFailed > 0) {
|
|
484 |
throw new RuntimeException(
|
|
485 |
"One or more tests failed, see test output for details");
|
|
486 |
}
|
|
487 |
}
|
|
488 |
|
|
489 |
public interface TestCase {
|
|
490 |
Map.Entry<Boolean, String> runTest();
|
|
491 |
}
|
|
492 |
}
|