55 "geotrustglobalca", "geotrustprimarycag2", "geotrustprimarycag3", |
57 "geotrustglobalca", "geotrustprimarycag2", "geotrustprimarycag3", |
56 "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2", |
58 "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2", |
57 "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca", |
59 "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca", |
58 "verisignclass3g5ca", "verisignuniversalrootca" }; |
60 "verisignclass3g5ca", "verisignuniversalrootca" }; |
59 |
61 |
|
62 // Each of the subCAs with a delayed distrust date have a test certificate |
|
63 // chain stored in a file named "<subCA>-chain.pem". |
|
64 private static String[] subCAsToTest = new String[] { |
|
65 "appleistca2g1", "appleistca8g1" }; |
|
66 |
60 // A date that is after the restrictions take affect |
67 // A date that is after the restrictions take affect |
61 private static final Date APRIL_17_2019 = |
68 private static final Date APRIL_17_2019 = |
62 Date.from(LocalDate.of(2019, 4, 17) |
69 Date.from(LocalDate.of(2019, 4, 17) |
63 .atStartOfDay(ZoneOffset.UTC) |
70 .atStartOfDay(ZoneOffset.UTC) |
64 .toInstant()); |
71 .toInstant()); |
65 |
72 |
|
73 // A date that is a second before the restrictions take affect |
|
74 private static final Date BEFORE_APRIL_17_2019 = |
|
75 Date.from(LocalDate.of(2019, 4, 17) |
|
76 .atStartOfDay(ZoneOffset.UTC) |
|
77 .minusSeconds(1) |
|
78 .toInstant()); |
|
79 |
|
80 // A date that is after the subCA restrictions take affect |
|
81 private static final Date JANUARY_1_2020 = |
|
82 Date.from(LocalDate.of(2020, 1, 1) |
|
83 .atStartOfDay(ZoneOffset.UTC) |
|
84 .toInstant()); |
|
85 |
|
86 // A date that is a second before the subCA restrictions take affect |
|
87 private static final Date BEFORE_JANUARY_1_2020 = |
|
88 Date.from(LocalDate.of(2020, 1, 1) |
|
89 .atStartOfDay(ZoneOffset.UTC) |
|
90 .minusSeconds(1) |
|
91 .toInstant()); |
|
92 |
66 public static void main(String[] args) throws Exception { |
93 public static void main(String[] args) throws Exception { |
67 |
94 |
68 cf = CertificateFactory.getInstance("X.509"); |
95 cf = CertificateFactory.getInstance("X.509"); |
69 boolean distrust = args[0].equals("true"); |
96 |
70 if (!distrust) { |
97 boolean before = args[0].equals("before"); |
71 // disable policy |
98 boolean policyOn = args[1].equals("policyOn"); |
|
99 boolean isValid = args[2].equals("valid"); |
|
100 |
|
101 if (!policyOn) { |
|
102 // disable policy (default is on) |
72 Security.setProperty("jdk.security.caDistrustPolicies", ""); |
103 Security.setProperty("jdk.security.caDistrustPolicies", ""); |
73 } |
104 } |
|
105 |
|
106 Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019; |
74 |
107 |
75 X509TrustManager pkixTM = getTMF("PKIX", null); |
108 X509TrustManager pkixTM = getTMF("PKIX", null); |
76 X509TrustManager sunX509TM = getTMF("SunX509", null); |
109 X509TrustManager sunX509TM = getTMF("SunX509", null); |
77 for (String test : rootsToTest) { |
110 for (String test : rootsToTest) { |
78 System.err.println("Testing " + test); |
111 System.err.println("Testing " + test); |
79 X509Certificate[] chain = loadCertificateChain(test); |
112 X509Certificate[] chain = loadCertificateChain(test); |
80 |
113 |
81 testTM(sunX509TM, chain, !distrust); |
114 testTM(sunX509TM, chain, notBefore, isValid); |
82 testTM(pkixTM, chain, !distrust); |
115 testTM(pkixTM, chain, notBefore, isValid); |
83 } |
116 } |
84 |
117 |
85 // test chain if params are passed to TrustManager |
118 // test chain if params are passed to TrustManager |
86 System.err.println("Testing verisignuniversalrootca with params"); |
119 System.err.println("Testing verisignuniversalrootca with params"); |
87 testTM(getTMF("PKIX", getParams()), |
120 testTM(getTMF("PKIX", getParams()), |
88 loadCertificateChain("verisignuniversalrootca"), !distrust); |
121 loadCertificateChain("verisignuniversalrootca"), |
|
122 notBefore, isValid); |
89 |
123 |
90 // test code-signing chain (should be valid as restrictions don't apply) |
124 // test code-signing chain (should be valid as restrictions don't apply) |
91 System.err.println("Testing verisignclass3g5ca code-signing chain"); |
125 System.err.println("Testing verisignclass3g5ca code-signing chain"); |
92 Validator v = Validator.getInstance(Validator.TYPE_PKIX, |
126 Validator v = Validator.getInstance(Validator.TYPE_PKIX, |
93 Validator.VAR_CODE_SIGNING, |
127 Validator.VAR_CODE_SIGNING, |
94 getParams()); |
128 getParams()); |
95 // set validation date so this will still pass when cert expires |
129 // set validation date so this will still pass when cert expires |
96 v.setValidationDate(new Date(1544197375493l)); |
130 v.setValidationDate(new Date(1544197375493l)); |
97 v.validate(loadCertificateChain("verisignclass3g5ca-codesigning")); |
131 v.validate(loadCertificateChain("verisignclass3g5ca-codesigning")); |
|
132 |
|
133 // test chains issued through subCAs |
|
134 notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020; |
|
135 for (String test : subCAsToTest) { |
|
136 System.err.println("Testing " + test); |
|
137 X509Certificate[] chain = loadCertificateChain(test); |
|
138 |
|
139 testTM(sunX509TM, chain, notBefore, isValid); |
|
140 testTM(pkixTM, chain, notBefore, isValid); |
|
141 } |
98 } |
142 } |
99 |
143 |
100 private static X509TrustManager getTMF(String type, |
144 private static X509TrustManager getTMF(String type, |
101 PKIXBuilderParameters params) throws Exception { |
145 PKIXBuilderParameters params) throws Exception { |
102 TrustManagerFactory tmf = TrustManagerFactory.getInstance(type); |
146 TrustManagerFactory tmf = TrustManagerFactory.getInstance(type); |
120 pbp.setRevocationEnabled(false); |
164 pbp.setRevocationEnabled(false); |
121 return pbp; |
165 return pbp; |
122 } |
166 } |
123 |
167 |
124 private static void testTM(X509TrustManager xtm, X509Certificate[] chain, |
168 private static void testTM(X509TrustManager xtm, X509Certificate[] chain, |
125 boolean valid) throws Exception { |
169 Date notBefore, boolean valid) throws Exception { |
126 // Check if TLS Server certificate (the first element of the chain) |
170 // Check if TLS Server certificate (the first element of the chain) |
127 // is issued after April 16, 2019 (should be rejected unless distrust |
171 // is issued after the specified notBefore date (should be rejected |
128 // property is false). To do this, we need to fake the notBefore date |
172 // unless distrust property is false). To do this, we need to |
129 // since none of the test certs are issued after then. |
173 // fake the notBefore date since none of the test certs are issued |
130 chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019); |
174 // after then. |
|
175 chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); |
131 |
176 |
132 try { |
177 try { |
133 xtm.checkServerTrusted(chain, "ECDHE_RSA"); |
178 xtm.checkServerTrusted(chain, "ECDHE_RSA"); |
134 if (!valid) { |
179 if (!valid) { |
135 throw new Exception("chain should be invalid"); |
180 throw new Exception("chain should be invalid"); |