48256
|
1 |
/*
|
54803
|
2 |
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
|
48256
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
4 |
*
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
7 |
* published by the Free Software Foundation.
|
|
8 |
*
|
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
13 |
* accompanied this code).
|
|
14 |
*
|
|
15 |
* You should have received a copy of the GNU General Public License version
|
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
18 |
*
|
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
20 |
* or visit www.oracle.com if you need additional information or have any
|
|
21 |
* questions.
|
|
22 |
*/
|
|
23 |
|
|
24 |
import java.io.ByteArrayInputStream;
|
|
25 |
import java.io.FileInputStream;
|
|
26 |
import java.io.IOException;
|
|
27 |
import java.io.PrintStream;
|
|
28 |
import java.net.URI;
|
|
29 |
import java.net.URISyntaxException;
|
|
30 |
import java.security.InvalidAlgorithmParameterException;
|
|
31 |
import java.security.KeyStore;
|
|
32 |
import java.security.KeyStoreException;
|
|
33 |
import java.security.NoSuchAlgorithmException;
|
|
34 |
import java.security.Security;
|
|
35 |
import java.security.cert.CertPath;
|
|
36 |
import java.security.cert.CertPathValidator;
|
|
37 |
import java.security.cert.CertPathValidatorException;
|
|
38 |
import java.security.cert.CertificateException;
|
|
39 |
import java.security.cert.CertificateExpiredException;
|
|
40 |
import java.security.cert.CertificateFactory;
|
|
41 |
import java.security.cert.CertificateRevokedException;
|
|
42 |
import java.security.cert.PKIXParameters;
|
|
43 |
import java.security.cert.PKIXRevocationChecker;
|
|
44 |
import java.security.cert.X509Certificate;
|
|
45 |
import java.text.DateFormat;
|
|
46 |
import java.text.ParseException;
|
|
47 |
import java.text.SimpleDateFormat;
|
|
48 |
import java.util.ArrayList;
|
|
49 |
import java.util.Date;
|
|
50 |
import java.util.EnumSet;
|
|
51 |
import java.util.Locale;
|
|
52 |
|
|
53 |
/**
|
|
54 |
* Utility class to validate certificate path. It supports OCSP and/or CRL
|
|
55 |
* validation.
|
|
56 |
*/
|
|
57 |
public class ValidatePathWithParams {
|
|
58 |
|
|
59 |
private static final String FS = System.getProperty("file.separator");
|
|
60 |
private static final String CACERTS_STORE = System.getProperty("test.jdk")
|
|
61 |
+ FS + "lib" + FS + "security" + FS + "cacerts";
|
|
62 |
|
|
63 |
private final String[] trustedRootCerts;
|
|
64 |
|
|
65 |
// use this for expired cert validation
|
|
66 |
private Date validationDate = null;
|
|
67 |
|
|
68 |
// expected certificate status
|
|
69 |
private Status expectedStatus = Status.UNKNOWN;
|
|
70 |
private Date expectedRevDate = null;
|
|
71 |
|
|
72 |
private final CertPathValidator certPathValidator;
|
|
73 |
private final PKIXRevocationChecker certPathChecker;
|
|
74 |
private final CertificateFactory cf;
|
|
75 |
|
|
76 |
/**
|
|
77 |
* Possible status values supported for EE certificate
|
|
78 |
*/
|
|
79 |
public static enum Status {
|
|
80 |
UNKNOWN, GOOD, REVOKED, EXPIRED;
|
|
81 |
}
|
|
82 |
|
|
83 |
/**
|
|
84 |
* Constructor
|
|
85 |
*
|
|
86 |
* @param additionalTrustRoots trusted root certificates
|
|
87 |
* @throws IOException
|
|
88 |
* @throws CertificateException
|
|
89 |
* @throws NoSuchAlgorithmException
|
|
90 |
*/
|
|
91 |
public ValidatePathWithParams(String[] additionalTrustRoots)
|
|
92 |
throws IOException, CertificateException, NoSuchAlgorithmException {
|
|
93 |
|
|
94 |
cf = CertificateFactory.getInstance("X509");
|
|
95 |
certPathValidator = CertPathValidator.getInstance("PKIX");
|
|
96 |
certPathChecker
|
|
97 |
= (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
|
|
98 |
|
|
99 |
if ((additionalTrustRoots == null) || (additionalTrustRoots[0] == null)) {
|
|
100 |
trustedRootCerts = null;
|
|
101 |
} else {
|
|
102 |
trustedRootCerts = additionalTrustRoots.clone();
|
|
103 |
}
|
|
104 |
}
|
|
105 |
|
|
106 |
/**
|
|
107 |
* Validate certificates
|
|
108 |
*
|
|
109 |
* @param certsToValidate Certificates to validate
|
|
110 |
* @param st expected certificate status
|
|
111 |
* @param revDate if revoked, expected revocation date
|
|
112 |
* @param out PrintStream to log messages
|
|
113 |
* @throws IOException
|
|
114 |
* @throws CertificateException
|
|
115 |
* @throws InvalidAlgorithmParameterException
|
|
116 |
* @throws ParseException
|
|
117 |
* @throws NoSuchAlgorithmException
|
|
118 |
* @throws KeyStoreException
|
|
119 |
*/
|
|
120 |
public void validate(String[] certsToValidate,
|
|
121 |
Status st,
|
|
122 |
String revDate,
|
|
123 |
PrintStream out)
|
|
124 |
throws IOException, CertificateException,
|
|
125 |
InvalidAlgorithmParameterException, ParseException,
|
|
126 |
NoSuchAlgorithmException, KeyStoreException {
|
|
127 |
|
|
128 |
expectedStatus = st;
|
|
129 |
if (expectedStatus == Status.REVOKED) {
|
|
130 |
if (revDate != null) {
|
|
131 |
expectedRevDate = new SimpleDateFormat("EEE MMM dd HH:mm:ss Z yyyy",
|
|
132 |
Locale.US).parse(revDate);
|
|
133 |
}
|
|
134 |
}
|
|
135 |
|
|
136 |
Status certStatus = null;
|
|
137 |
Date revocationDate = null;
|
|
138 |
|
|
139 |
logSettings(out);
|
|
140 |
|
|
141 |
try {
|
|
142 |
doCertPathValidate(certsToValidate, out);
|
|
143 |
certStatus = Status.GOOD;
|
|
144 |
} catch (IOException ioe) {
|
|
145 |
// Some machines don't have network setup correctly to be able to
|
|
146 |
// reach outside world, skip such failures
|
|
147 |
out.println("WARNING: Network setup issue, skip this test");
|
|
148 |
ioe.printStackTrace(System.err);
|
|
149 |
return;
|
|
150 |
} catch (CertPathValidatorException cpve) {
|
|
151 |
out.println("Received exception: " + cpve);
|
|
152 |
|
|
153 |
if (cpve.getCause() instanceof IOException) {
|
|
154 |
out.println("WARNING: CertPathValidatorException caused by IO"
|
|
155 |
+ " error, skip this test");
|
|
156 |
return;
|
|
157 |
}
|
|
158 |
|
|
159 |
if (cpve.getReason() == CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED) {
|
|
160 |
out.println("WARNING: CertPathValidatorException caused by"
|
|
161 |
+ " restricted algorithm, skip this test");
|
|
162 |
return;
|
|
163 |
}
|
|
164 |
|
|
165 |
if (cpve.getReason() == CertPathValidatorException.BasicReason.REVOKED
|
|
166 |
|| cpve.getCause() instanceof CertificateRevokedException) {
|
|
167 |
certStatus = Status.REVOKED;
|
|
168 |
if (cpve.getCause() instanceof CertificateRevokedException) {
|
|
169 |
CertificateRevokedException cre
|
|
170 |
= (CertificateRevokedException) cpve.getCause();
|
|
171 |
revocationDate = cre.getRevocationDate();
|
|
172 |
}
|
|
173 |
} else if (cpve.getReason() == CertPathValidatorException.BasicReason.EXPIRED
|
|
174 |
|| cpve.getCause() instanceof CertificateExpiredException) {
|
|
175 |
certStatus = Status.EXPIRED;
|
|
176 |
} else {
|
|
177 |
throw new RuntimeException(
|
|
178 |
"TEST FAILED: couldn't determine EE certificate status");
|
|
179 |
}
|
|
180 |
}
|
|
181 |
|
|
182 |
out.println("Expected Certificate status: " + expectedStatus);
|
|
183 |
out.println("Certificate status after validation: " + certStatus.name());
|
|
184 |
|
|
185 |
// Don't want test to fail in case certificate is expired when not expected
|
|
186 |
// Simply skip the test.
|
|
187 |
if (expectedStatus != Status.EXPIRED && certStatus == Status.EXPIRED) {
|
|
188 |
out.println("WARNING: Certificate expired, skip the test");
|
|
189 |
return;
|
|
190 |
}
|
|
191 |
|
|
192 |
if (certStatus != expectedStatus) {
|
|
193 |
throw new RuntimeException(
|
|
194 |
"TEST FAILED: unexpected status of EE certificate");
|
|
195 |
}
|
|
196 |
|
|
197 |
if (certStatus == Status.REVOKED) {
|
|
198 |
// Check revocation date
|
|
199 |
if (revocationDate != null) {
|
|
200 |
out.println(
|
|
201 |
"Certificate revocation date:" + revocationDate.toString());
|
|
202 |
if (expectedRevDate != null) {
|
|
203 |
out.println(
|
|
204 |
"Expected revocation date:" + expectedRevDate.toString());
|
|
205 |
if (!expectedRevDate.equals(revocationDate)) {
|
|
206 |
throw new RuntimeException(
|
|
207 |
"TEST FAILED: unexpected revocation date");
|
|
208 |
}
|
|
209 |
}
|
|
210 |
} else {
|
|
211 |
throw new RuntimeException("TEST FAILED: no revocation date");
|
|
212 |
}
|
|
213 |
}
|
|
214 |
}
|
|
215 |
|
|
216 |
private void logSettings(PrintStream out) {
|
|
217 |
out.println();
|
|
218 |
out.println("=====================================================");
|
|
219 |
out.println("CONFIGURATION");
|
|
220 |
out.println("=====================================================");
|
|
221 |
out.println("http.proxyHost :" + System.getProperty("http.proxyHost"));
|
|
222 |
out.println("http.proxyPort :" + System.getProperty("http.proxyPort"));
|
|
223 |
out.println("https.proxyHost :" + System.getProperty("https.proxyHost"));
|
|
224 |
out.println("https.proxyPort :" + System.getProperty("https.proxyPort"));
|
|
225 |
out.println("https.socksProxyHost :"
|
|
226 |
+ System.getProperty("https.socksProxyHost"));
|
|
227 |
out.println("https.socksProxyPort :"
|
|
228 |
+ System.getProperty("https.socksProxyPort"));
|
|
229 |
out.println("jdk.certpath.disabledAlgorithms :"
|
|
230 |
+ Security.getProperty("jdk.certpath.disabledAlgorithms"));
|
|
231 |
out.println("Revocation options :" + certPathChecker.getOptions());
|
|
232 |
out.println("OCSP responder set :" + certPathChecker.getOcspResponder());
|
|
233 |
out.println("Trusted root set: " + (trustedRootCerts != null));
|
|
234 |
|
|
235 |
if (validationDate != null) {
|
|
236 |
out.println("Validation Date:" + validationDate.toString());
|
|
237 |
}
|
|
238 |
out.println("Expected EE Status:" + expectedStatus.name());
|
|
239 |
if (expectedStatus == Status.REVOKED && expectedRevDate != null) {
|
|
240 |
out.println(
|
|
241 |
"Expected EE Revocation Date:" + expectedRevDate.toString());
|
|
242 |
}
|
|
243 |
out.println("=====================================================");
|
|
244 |
}
|
|
245 |
|
|
246 |
private void doCertPathValidate(String[] certsToValidate, PrintStream out)
|
|
247 |
throws IOException, CertificateException,
|
|
248 |
InvalidAlgorithmParameterException, ParseException,
|
|
249 |
NoSuchAlgorithmException, CertPathValidatorException, KeyStoreException {
|
|
250 |
|
|
251 |
if (certsToValidate == null) {
|
|
252 |
throw new RuntimeException("Require atleast one cert to validate");
|
|
253 |
}
|
|
254 |
|
|
255 |
// Generate CertPath with certsToValidate
|
54803
|
256 |
ArrayList<X509Certificate> certs = new ArrayList<>();
|
48256
|
257 |
for (String cert : certsToValidate) {
|
|
258 |
if (cert != null) {
|
|
259 |
certs.add(getCertificate(cert));
|
|
260 |
}
|
|
261 |
}
|
|
262 |
CertPath certPath = (CertPath) cf.generateCertPath(certs);
|
|
263 |
|
|
264 |
// Set cacerts as anchor
|
|
265 |
KeyStore cacerts = KeyStore.getInstance("JKS");
|
|
266 |
try (FileInputStream fis = new FileInputStream(CACERTS_STORE)) {
|
|
267 |
cacerts.load(fis, "changeit".toCharArray());
|
|
268 |
} catch (IOException | NoSuchAlgorithmException | CertificateException ex) {
|
|
269 |
throw new RuntimeException(ex);
|
|
270 |
}
|
|
271 |
|
|
272 |
// Set additional trust certificates
|
|
273 |
if (trustedRootCerts != null) {
|
|
274 |
for (int i = 0; i < trustedRootCerts.length; i++) {
|
|
275 |
X509Certificate rootCACert = getCertificate(trustedRootCerts[i]);
|
|
276 |
cacerts.setCertificateEntry("tempca" + i, rootCACert);
|
|
277 |
}
|
|
278 |
}
|
|
279 |
|
|
280 |
PKIXParameters params;
|
|
281 |
params = new PKIXParameters(cacerts);
|
|
282 |
params.addCertPathChecker(certPathChecker);
|
|
283 |
|
|
284 |
// Set backdated validation if requested, if null, current date is set
|
|
285 |
params.setDate(validationDate);
|
|
286 |
|
|
287 |
// Validate
|
|
288 |
certPathValidator.validate(certPath, params);
|
|
289 |
out.println("Successful CertPath validation");
|
|
290 |
}
|
|
291 |
|
|
292 |
private X509Certificate getCertificate(String encodedCert)
|
|
293 |
throws IOException, CertificateException {
|
|
294 |
ByteArrayInputStream is
|
|
295 |
= new ByteArrayInputStream(encodedCert.getBytes());
|
|
296 |
X509Certificate cert = (X509Certificate) cf.generateCertificate(is);
|
|
297 |
return cert;
|
|
298 |
}
|
|
299 |
|
|
300 |
/**
|
|
301 |
* Set list of disabled algorithms
|
|
302 |
*
|
|
303 |
* @param algos algorithms to disable
|
|
304 |
*/
|
|
305 |
public static void setDisabledAlgorithms(String algos) {
|
|
306 |
Security.setProperty("jdk.certpath.disabledAlgorithms", algos);
|
|
307 |
}
|
|
308 |
|
|
309 |
/**
|
|
310 |
* Enable OCSP only revocation checks, treat network error as success
|
|
311 |
*/
|
|
312 |
public void enableOCSPCheck() {
|
|
313 |
// OCSP is by default, disable fallback to CRL
|
|
314 |
certPathChecker.setOptions(EnumSet.of(
|
|
315 |
PKIXRevocationChecker.Option.NO_FALLBACK));
|
|
316 |
}
|
|
317 |
|
|
318 |
/**
|
|
319 |
* Enable CRL only revocation check, treat network error as success
|
|
320 |
*/
|
|
321 |
public void enableCRLCheck() {
|
|
322 |
certPathChecker.setOptions(EnumSet.of(
|
|
323 |
PKIXRevocationChecker.Option.PREFER_CRLS,
|
|
324 |
PKIXRevocationChecker.Option.NO_FALLBACK));
|
|
325 |
}
|
|
326 |
|
|
327 |
/**
|
|
328 |
* Overrides OCSP responder URL in AIA extension of certificate
|
|
329 |
*
|
|
330 |
* @param url OCSP responder
|
|
331 |
* @throws URISyntaxException
|
|
332 |
*/
|
|
333 |
public void setOCSPResponderURL(String url) throws URISyntaxException {
|
|
334 |
certPathChecker.setOcspResponder(new URI(url));
|
|
335 |
}
|
|
336 |
|
|
337 |
/**
|
|
338 |
* Set validation date for EE certificate
|
|
339 |
*
|
|
340 |
* @param vDate string formatted date
|
|
341 |
* @throws ParseException if vDate is incorrect
|
|
342 |
*/
|
|
343 |
public void setValidationDate(String vDate) throws ParseException {
|
|
344 |
validationDate = DateFormat.getDateInstance(DateFormat.MEDIUM,
|
|
345 |
Locale.US).parse(vDate);
|
|
346 |
}
|
|
347 |
|
|
348 |
/**
|
|
349 |
* Reset validation date for EE certificate to current date
|
|
350 |
*/
|
|
351 |
public void resetValidationDate() {
|
|
352 |
validationDate = null;
|
|
353 |
}
|
|
354 |
}
|