jdk-sandbox: comparison test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java

equal deleted inserted replaced

-:1cde04cbcec6
+:f443de1cee05
 /*
-* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 import jdk.test.lib.security.SecurityUtils;
 /**
 * @test
-* @bug 8207258
+* @bug 8207258 8216280
 * @summary Check that TLS Server certificates chaining back to distrusted
 *          Symantec roots are invalid
 * @library /test/lib
 * @modules java.base/sun.security.validator
-* @run main/othervm Distrust true
+* @run main/othervm Distrust after policyOn invalid
-* @run main/othervm Distrust false
+* @run main/othervm Distrust after policyOff valid
+* @run main/othervm Distrust before policyOn valid
+* @run main/othervm Distrust before policyOff valid
 */
 public class Distrust {
 private static final String TEST_SRC = System.getProperty("test.src", ".");
 "geotrustglobalca", "geotrustprimarycag2", "geotrustprimarycag3",
 "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2",
 "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",
 "verisignclass3g5ca", "verisignuniversalrootca" };
+// Each of the subCAs with a delayed distrust date have a test certificate
+// chain stored in a file named "<subCA>-chain.pem".
+private static String[] subCAsToTest = new String[] {
+"appleistca2g1", "appleistca8g1" };
 // A date that is after the restrictions take affect
 private static final Date APRIL_17_2019 =
 Date.from(LocalDate.of(2019, 4, 17)
 .atStartOfDay(ZoneOffset.UTC)
 .toInstant());
+// A date that is a second before the restrictions take affect
+private static final Date BEFORE_APRIL_17_2019 =
+Date.from(LocalDate.of(2019, 4, 17)
+.atStartOfDay(ZoneOffset.UTC)
+.minusSeconds(1)
+.toInstant());
+// A date that is after the subCA restrictions take affect
+private static final Date JANUARY_1_2020 =
+Date.from(LocalDate.of(2020, 1, 1)
+.atStartOfDay(ZoneOffset.UTC)
+.toInstant());
+// A date that is a second before the subCA restrictions take affect
+private static final Date BEFORE_JANUARY_1_2020 =
+Date.from(LocalDate.of(2020, 1, 1)
+.atStartOfDay(ZoneOffset.UTC)
+.minusSeconds(1)
+.toInstant());
 public static void main(String[] args) throws Exception {
 cf = CertificateFactory.getInstance("X.509");
-boolean distrust = args[0].equals("true");
-if (!distrust) {
+boolean before = args[0].equals("before");
-// disable policy
+boolean policyOn = args[1].equals("policyOn");
+boolean isValid = args[2].equals("valid");
+if (!policyOn) {
+// disable policy (default is on)
 Security.setProperty("jdk.security.caDistrustPolicies", "");
 }
+Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;
 X509TrustManager pkixTM = getTMF("PKIX", null);
 X509TrustManager sunX509TM = getTMF("SunX509", null);
 for (String test : rootsToTest) {
 System.err.println("Testing " + test);
 X509Certificate[] chain = loadCertificateChain(test);
-testTM(sunX509TM, chain, !distrust);
+testTM(sunX509TM, chain, notBefore, isValid);
-testTM(pkixTM, chain, !distrust);
+testTM(pkixTM, chain, notBefore, isValid);
 }
 // test chain if params are passed to TrustManager
 System.err.println("Testing verisignuniversalrootca with params");
 testTM(getTMF("PKIX", getParams()),
-loadCertificateChain("verisignuniversalrootca"), !distrust);
+loadCertificateChain("verisignuniversalrootca"),
+notBefore, isValid);
 // test code-signing chain (should be valid as restrictions don't apply)
 System.err.println("Testing verisignclass3g5ca code-signing chain");
 Validator v = Validator.getInstance(Validator.TYPE_PKIX,
 Validator.VAR_CODE_SIGNING,
 getParams());
 // set validation date so this will still pass when cert expires
 v.setValidationDate(new Date(1544197375493l));
 v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));
+// test chains issued through subCAs
+notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;
+for (String test : subCAsToTest) {
+System.err.println("Testing " + test);
+X509Certificate[] chain = loadCertificateChain(test);
+testTM(sunX509TM, chain, notBefore, isValid);
+testTM(pkixTM, chain, notBefore, isValid);
+}
 }
 private static X509TrustManager getTMF(String type,
 PKIXBuilderParameters params) throws Exception {
 TrustManagerFactory tmf = TrustManagerFactory.getInstance(type);
 pbp.setRevocationEnabled(false);
 return pbp;
 }
 private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
-boolean valid) throws Exception {
+Date notBefore, boolean valid) throws Exception {
 // Check if TLS Server certificate (the first element of the chain)
-// is issued after April 16, 2019 (should be rejected unless distrust
+// is issued after the specified notBefore date (should be rejected
-// property is false). To do this, we need to fake the notBefore date
+// unless distrust property is false). To do this, we need to
-// since none of the test certs are issued after then.
+// fake the notBefore date since none of the test certs are issued
-chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019);
+// after then.
+chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);
 try {
 xtm.checkServerTrusted(chain, "ECDHE_RSA");
 if (!valid) {
 throw new Exception("chain should be invalid");

changeset 53428	f443de1cee05
parent 52948	04c9b7111aac