--- a/jdk/test/sun/security/pkcs11/ec/ReadCertificates.java Wed Dec 04 18:02:33 2013 +0000
+++ b/jdk/test/sun/security/pkcs11/ec/ReadCertificates.java Wed Dec 04 10:59:17 2013 -0800
@@ -37,6 +37,7 @@
import java.security.cert.*;
import java.security.*;
import java.security.interfaces.*;
+import java.security.spec.ECParameterSpec;
import javax.security.auth.x500.X500Principal;
@@ -101,33 +102,44 @@
}
System.out.println("OK: " + certs.size() + " certificates.");
+ // Get supported curves
+ Vector<ECParameterSpec> supportedEC = getKnownCurves(p);
+
+ System.out.println("Test Certs:\n");
for (X509Certificate cert : certs.values()) {
X509Certificate issuer = certs.get(cert.getIssuerX500Principal());
- System.out.println("Verifying " + cert.getSubjectX500Principal() + "...");
+ System.out.print("Verifying " + cert.getSubjectX500Principal() +
+ "... ");
PublicKey key = issuer.getPublicKey();
- // First try the provider under test (if it does not support the
- // necessary algorithm then try any registered provider).
- try {
- cert.verify(key, p.getName());
- } catch (NoSuchAlgorithmException e) {
- System.out.println("Warning: " + e.getMessage() +
- ". Trying another provider...");
- cert.verify(key);
- } catch (InvalidKeyException e) {
- // The root cause of the exception might be NSS not having
- // "ECC Extended" support curves. If so, we can ignore it.
- Throwable t = e;
- while (t.getCause() != null) {
- t = t.getCause();
- }
- if (t instanceof sun.security.pkcs11.wrapper.PKCS11Exception &&
- t.getMessage().equals("CKR_DOMAIN_PARAMS_INVALID") &&
- isNSS(p) && getNSSECC() == ECCState.Basic) {
- System.out.println("Failed as expected. NSS Basic ECC.");
+ // Check if curve is supported
+ if (issuer.getPublicKey() instanceof ECPublicKey) {
+ if (!checkSupport(supportedEC,
+ ((ECPublicKey)key).getParams())) {
+ System.out.println("Curve not found. Skipped.");
continue;
}
- throw e;
}
+
+ try {
+ cert.verify(key, p.getName());
+ System.out.println("Pass.");
+ } catch (NoSuchAlgorithmException e) {
+ System.out.println("Warning: " + e.getMessage() +
+ ". Trying another provider...");
+ cert.verify(key);
+ } catch (Exception e) {
+ System.out.println(e.getMessage());
+ if (key instanceof ECPublicKey) {
+ System.out.println("Failed.\n\tCurve: " +
+ ((ECPublicKey)key).getParams() +
+ "\n\tSignature Alg: " + cert.getSigAlgName());
+ } else {
+ System.out.println("Key: "+key.toString());
+ }
+
+ System.err.println("Verifying " + cert.getSubjectX500Principal());
+ e.printStackTrace();
+ }
}
// try some random invalid signatures to make sure we get the correct