|
1 /* |
|
2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. Oracle designates this |
|
8 * particular file as subject to the "Classpath" exception as provided |
|
9 * by Oracle in the LICENSE file that accompanied this code. |
|
10 * |
|
11 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 * version 2 for more details (a copy is included in the LICENSE file that |
|
15 * accompanied this code). |
|
16 * |
|
17 * You should have received a copy of the GNU General Public License version |
|
18 * 2 along with this work; if not, write to the Free Software Foundation, |
|
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 * |
|
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 * or visit www.oracle.com if you need additional information or have any |
|
23 * questions. |
|
24 */ |
|
25 |
|
26 import java.io.IOException; |
|
27 import java.io.StringBufferInputStream; |
|
28 import java.net.InetAddress; |
|
29 import java.net.UnknownHostException; |
|
30 import java.security.cert.CertificateException; |
|
31 import java.security.cert.CertificateFactory; |
|
32 import java.security.cert.CertPath; |
|
33 import java.security.cert.CertPathValidator; |
|
34 import java.security.cert.CertPathValidatorException; |
|
35 import java.security.cert.PKIXParameters; |
|
36 import java.security.cert.TrustAnchor; |
|
37 import java.security.cert.X509Certificate; |
|
38 import java.text.DateFormat; |
|
39 import java.text.ParseException; |
|
40 import java.util.ArrayList; |
|
41 import java.util.Arrays; |
|
42 import java.util.Date; |
|
43 import java.util.HashSet; |
|
44 import java.util.List; |
|
45 import java.util.Locale; |
|
46 import java.util.Set; |
|
47 import sun.net.spi.nameservice.NameService; |
|
48 import sun.net.spi.nameservice.NameServiceDescriptor; |
|
49 |
|
50 /* |
|
51 * @test |
|
52 * @bug 8134708 |
|
53 * @summary Check if LDAP resources from CRLDP and AIA extensions can be loaded |
|
54 * @run main/othervm ExtensionsWithLDAP |
|
55 */ |
|
56 public class ExtensionsWithLDAP { |
|
57 |
|
58 /* |
|
59 * Certificate: |
|
60 * Data: |
|
61 * Version: 3 (0x2) |
|
62 * Serial Number: 11174053930990688938 (0x9b1236d8f9c1daaa) |
|
63 * Signature Algorithm: sha512WithRSAEncryption |
|
64 * Issuer: CN=Root |
|
65 * Validity |
|
66 * Not Before: Sep 1 18:03:59 2015 GMT |
|
67 * Not After : Jan 17 18:03:59 2043 GMT |
|
68 * Subject: CN=Root |
|
69 */ |
|
70 private static final String CA_CERT = "" |
|
71 + "-----BEGIN CERTIFICATE-----\n" |
|
72 + "MIIC8TCCAdmgAwIBAgIJAJsSNtj5wdqqMA0GCSqGSIb3DQEBDQUAMA8xDTALBgNV\n" |
|
73 + "BAMMBFJvb3QwHhcNMTUwOTAxMTgwMzU5WhcNNDMwMTE3MTgwMzU5WjAPMQ0wCwYD\n" |
|
74 + "VQQDDARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvj892vPm\n" |
|
75 + "bB++x9QqqyBveP+ZqQ2B1stV7vh5JmDnOTevkZUOcemp3SXu/esNLSbpL+fARYXH\n" |
|
76 + "V5ubnrfip6RbvcxPfVIIDJrRTLIIsU6W7M6/LJLbLkEVGy4ZV4IHkOw9W2O92rcv\n" |
|
77 + "BkoqhzZnOTGR6uT3rRcKx4RevEKBKhZO+OPPf//lnckOybmYL7t7yQrajzHro76b\n" |
|
78 + "QTXYjAUq/DKhglXfC7vF/JzlAvG2IunGmIfjGcnuDo/9X3Bxef/q5TxCS35fvb7t\n" |
|
79 + "svC+g2QhTcBkQh4uNW2jSjlTIVp1uErCfP5aCjLaez5mqmb1hxPIlcvsNR23HwU6\n" |
|
80 + "bQO7z7NBo9Do6QIDAQABo1AwTjAdBgNVHQ4EFgQUmLZNOBBkqdYoElyxklPYHmAb\n" |
|
81 + "QXIwHwYDVR0jBBgwFoAUmLZNOBBkqdYoElyxklPYHmAbQXIwDAYDVR0TBAUwAwEB\n" |
|
82 + "/zANBgkqhkiG9w0BAQ0FAAOCAQEAYV4fOhDi5q7+XNXCxO8Eil2frR9jqdP4LaQp\n" |
|
83 + "3L0evW0gvPX68s2WmkPWzIu4TJcpdGFQqxyQFSXuKBXjthyiln77QItGTHWeafES\n" |
|
84 + "q5ESrKdSaJZq1bTIrrReCIP74f+fY/F4Tnb3dCqzaljXfzpdbeRsIW6gF71xcOUQ\n" |
|
85 + "nnPEjGVPLUegN+Wn/jQpeLxxIB7FmNXncdRUfMfZ43xVSKuMCy1UUYqJqTa/pXZj\n" |
|
86 + "jCMeRPThRjRqHlJ69jStfWUQATbLyj9KN09rUaJxzmUSt61UqJi7sjcGySaCjAJc\n" |
|
87 + "IcCdVmX/DmRLsdv8W36O3MgrvpT1zR3kaAlv2d8HppnBqcL3xg==\n" |
|
88 + "-----END CERTIFICATE-----"; |
|
89 |
|
90 /* |
|
91 * Certificate: |
|
92 * Data: |
|
93 * Version: 3 (0x2) |
|
94 * Serial Number: 7 (0x7) |
|
95 * Signature Algorithm: sha512WithRSAEncryption |
|
96 * Issuer: CN=Root |
|
97 * Validity |
|
98 * Not Before: Sep 1 18:03:59 2015 GMT |
|
99 * Not After : Jan 17 18:03:59 2043 GMT |
|
100 * Subject: CN=EE |
|
101 * ... |
|
102 * X509v3 extensions: |
|
103 * X509v3 CRL Distribution Points: |
|
104 * Full Name: |
|
105 * URI:ldap://ldap.host.for.crldp/main.crl |
|
106 * Authority Information Access: |
|
107 * CA Issuers - URI:ldap://ldap.host.for.aia/dc=Root?cACertificate |
|
108 */ |
|
109 private static final String EE_CERT = "" |
|
110 + "-----BEGIN CERTIFICATE-----\n" |
|
111 + "MIIDHTCCAgWgAwIBAgIBBzANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARSb290\n" |
|
112 + "MB4XDTE1MDkwMTE4MDM1OVoXDTQzMDExNzE4MDM1OVowDTELMAkGA1UEAwwCRUUw\n" |
|
113 + "ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpyz97liuWPDYcLH9TX8Bi\n" |
|
114 + "T78olCmAfmevvch6ncXUVuCzbdaKuKXwn4EVbDszsVJLoK5zdtP+X3iDhutj+IgK\n" |
|
115 + "mLhuczF3M9VIcWr+JJUyTH4+3h/RT8cjCDZOmk9iXkb5ifruVsLqzb9g+Vp140Oz\n" |
|
116 + "7leikne7KmclHvTfvFd0WDI7Gb9vo4f5rT717BXJ/n+M6pNk8DLpLiEu6eziYvXR\n" |
|
117 + "v5x+t5Go3x0eCXdaxEQUf2j876Wfr2qHRJK7lDfFe1DDsMg/KpKGiILYZ+g2qtVM\n" |
|
118 + "ZSxtp5BZEtfB5qV/IE5kWO+mCIAGpXSZIdbERR6pZUq8GLEe1T9e+sO6H24w2F19\n" |
|
119 + "AgMBAAGjgYUwgYIwNAYDVR0fBC0wKzApoCegJYYjbGRhcDovL2xkYXAuaG9zdC5m\n" |
|
120 + "b3IuY3JsZHAvbWFpbi5jcmwwSgYIKwYBBQUHAQEEPjA8MDoGCCsGAQUFBzAChi5s\n" |
|
121 + "ZGFwOi8vbGRhcC5ob3N0LmZvci5haWEvZGM9Um9vdD9jQUNlcnRpZmljYXRlMA0G\n" |
|
122 + "CSqGSIb3DQEBDQUAA4IBAQBWDfZHpuUx0yn5d3+BuztFqoks1MkGdk+USlH0TB1/\n" |
|
123 + "gWWBd+4S4PCKlpSur0gj2rMW4fP5HQfNlHci8JV8/bG4KuKRAXW56dg1818Hl3pc\n" |
|
124 + "iIrUSRn8uUjH3p9qb+Rb/u3mmVQRyJjN2t/zceNsO8/+Dd808OB9aEwGs8lMT0nn\n" |
|
125 + "ZYaaAqYz1GIY/Ecyx1vfEZEQ1ljo6i/r70C3igbypBUShxSiGsleiVTLOGNA+MN1\n" |
|
126 + "/a/Qh0bkaQyTGqK3bwvzzMeQVqWu2EWTBD/PmND5ExkpRICdv8LBVXfLnpoBr4lL\n" |
|
127 + "hnxn9+e0Ah+t8dS5EKfn44w5bI5PCu2bqxs6RCTxNjcY\n" |
|
128 + "-----END CERTIFICATE-----"; |
|
129 |
|
130 |
|
131 private static final String LDAP_HOST_CRLDP = "ldap.host.for.crldp"; |
|
132 private static final String LDAP_HOST_AIA = "ldap.host.for.aia"; |
|
133 |
|
134 // a date within the certificates validity period |
|
135 static final Date validationDate; |
|
136 static { |
|
137 try { |
|
138 validationDate = DateFormat.getDateInstance( |
|
139 DateFormat.MEDIUM, Locale.US).parse("Sep 02, 2015"); |
|
140 } catch (ParseException e) { |
|
141 throw new RuntimeException("Couldn't parse date", e); |
|
142 } |
|
143 } |
|
144 |
|
145 public static void main(String[] args) throws Exception { |
|
146 // enable CRLDP and AIA extensions |
|
147 System.setProperty("com.sun.security.enableCRLDP", "true"); |
|
148 System.setProperty("com.sun.security.enableAIAcaIssuers", "true"); |
|
149 |
|
150 // register a local name service |
|
151 System.setProperty("sun.net.spi.nameservice.provider.1", "ns,localdns"); |
|
152 |
|
153 X509Certificate trustedCert = loadCertificate(CA_CERT); |
|
154 X509Certificate eeCert = loadCertificate(EE_CERT); |
|
155 |
|
156 Set<TrustAnchor> trustedCertsSet = new HashSet<>(); |
|
157 trustedCertsSet.add(new TrustAnchor(trustedCert, null)); |
|
158 |
|
159 CertPath cp = (CertPath) CertificateFactory.getInstance("X509") |
|
160 .generateCertPath(Arrays.asList(eeCert)); |
|
161 |
|
162 PKIXParameters params = new PKIXParameters(trustedCertsSet); |
|
163 params.setDate(validationDate); |
|
164 |
|
165 // certpath validator should try to parse CRLDP and AIA extensions, |
|
166 // and load CRLs/certs which they point to |
|
167 // if a local name service catched requests for resolving host names |
|
168 // which extensions contain, then it means that certpath validator |
|
169 // tried to load CRLs/certs which they point to |
|
170 try { |
|
171 CertPathValidator.getInstance("PKIX").validate(cp, params); |
|
172 throw new RuntimeException("CertPathValidatorException not thrown"); |
|
173 } catch (CertPathValidatorException cpve) { |
|
174 System.out.println("Expected exception: " + cpve); |
|
175 } |
|
176 |
|
177 // check if it tried to resolve a host name from CRLDP extension |
|
178 if (!LocalNameService.requestedHosts.contains(LDAP_HOST_CRLDP)) { |
|
179 throw new RuntimeException( |
|
180 "A hostname from CRLDP extension not requested"); |
|
181 } |
|
182 |
|
183 // check if it tried to resolve a host name from AIA extension |
|
184 if (!LocalNameService.requestedHosts.contains(LDAP_HOST_AIA)) { |
|
185 throw new RuntimeException( |
|
186 "A hostname from AIA extension not requested"); |
|
187 } |
|
188 |
|
189 System.out.println("Test passed"); |
|
190 } |
|
191 |
|
192 // load a X509 certificate |
|
193 public static X509Certificate loadCertificate(String s) |
|
194 throws IOException, CertificateException { |
|
195 |
|
196 try (StringBufferInputStream is = new StringBufferInputStream(s)) { |
|
197 return (X509Certificate) CertificateFactory.getInstance("X509") |
|
198 .generateCertificate(is); |
|
199 } |
|
200 } |
|
201 |
|
202 // a local name service which log requested host names |
|
203 public static class LocalNameService implements NameServiceDescriptor { |
|
204 |
|
205 static final List<String> requestedHosts = new ArrayList<>(); |
|
206 |
|
207 @Override |
|
208 public NameService createNameService() throws Exception { |
|
209 System.out.println("LocalNameService: createNameService() called"); |
|
210 NameService ns = new NameService() { |
|
211 |
|
212 @Override |
|
213 public InetAddress[] lookupAllHostAddr(String host) |
|
214 throws UnknownHostException { |
|
215 |
|
216 System.out.println("LocalNameService: " |
|
217 + "NameService.lookupAllHostAddr(): " + host); |
|
218 |
|
219 requestedHosts.add(host); |
|
220 |
|
221 throw new UnknownHostException(); |
|
222 } |
|
223 |
|
224 @Override |
|
225 public String getHostByAddr(byte[] addr) |
|
226 throws UnknownHostException { |
|
227 System.out.println("LocalNameService: " |
|
228 + "NameService.getHostByAddr(): " |
|
229 + Arrays.toString(addr)); |
|
230 throw new UnknownHostException("No reverse lookup"); |
|
231 } |
|
232 }; |
|
233 return ns; |
|
234 } |
|
235 |
|
236 @Override |
|
237 public String getProviderName() { |
|
238 return "localdns"; |
|
239 } |
|
240 |
|
241 @Override |
|
242 public String getType() { |
|
243 return "ns"; |
|
244 } |
|
245 } |
|
246 |
|
247 } |