--- a/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 10:25:22 2019 +0800
+++ b/test/jdk/sun/security/ssl/X509TrustManagerImpl/Symantec/Distrust.java Tue Jan 22 09:27:19 2019 -0500
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -35,13 +35,15 @@
/**
* @test
- * @bug 8207258
+ * @bug 8207258 8216280
* @summary Check that TLS Server certificates chaining back to distrusted
* Symantec roots are invalid
* @library /test/lib
* @modules java.base/sun.security.validator
- * @run main/othervm Distrust true
- * @run main/othervm Distrust false
+ * @run main/othervm Distrust after policyOn invalid
+ * @run main/othervm Distrust after policyOff valid
+ * @run main/othervm Distrust before policyOn valid
+ * @run main/othervm Distrust before policyOff valid
*/
public class Distrust {
@@ -57,35 +59,67 @@
"thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca",
"verisignclass3g5ca", "verisignuniversalrootca" };
+ // Each of the subCAs with a delayed distrust date have a test certificate
+ // chain stored in a file named "<subCA>-chain.pem".
+ private static String[] subCAsToTest = new String[] {
+ "appleistca2g1", "appleistca8g1" };
+
// A date that is after the restrictions take affect
private static final Date APRIL_17_2019 =
Date.from(LocalDate.of(2019, 4, 17)
.atStartOfDay(ZoneOffset.UTC)
.toInstant());
+ // A date that is a second before the restrictions take affect
+ private static final Date BEFORE_APRIL_17_2019 =
+ Date.from(LocalDate.of(2019, 4, 17)
+ .atStartOfDay(ZoneOffset.UTC)
+ .minusSeconds(1)
+ .toInstant());
+
+ // A date that is after the subCA restrictions take affect
+ private static final Date JANUARY_1_2020 =
+ Date.from(LocalDate.of(2020, 1, 1)
+ .atStartOfDay(ZoneOffset.UTC)
+ .toInstant());
+
+ // A date that is a second before the subCA restrictions take affect
+ private static final Date BEFORE_JANUARY_1_2020 =
+ Date.from(LocalDate.of(2020, 1, 1)
+ .atStartOfDay(ZoneOffset.UTC)
+ .minusSeconds(1)
+ .toInstant());
+
public static void main(String[] args) throws Exception {
cf = CertificateFactory.getInstance("X.509");
- boolean distrust = args[0].equals("true");
- if (!distrust) {
- // disable policy
+
+ boolean before = args[0].equals("before");
+ boolean policyOn = args[1].equals("policyOn");
+ boolean isValid = args[2].equals("valid");
+
+ if (!policyOn) {
+ // disable policy (default is on)
Security.setProperty("jdk.security.caDistrustPolicies", "");
}
+ Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019;
+
X509TrustManager pkixTM = getTMF("PKIX", null);
X509TrustManager sunX509TM = getTMF("SunX509", null);
for (String test : rootsToTest) {
System.err.println("Testing " + test);
X509Certificate[] chain = loadCertificateChain(test);
- testTM(sunX509TM, chain, !distrust);
- testTM(pkixTM, chain, !distrust);
+ testTM(sunX509TM, chain, notBefore, isValid);
+ testTM(pkixTM, chain, notBefore, isValid);
}
// test chain if params are passed to TrustManager
System.err.println("Testing verisignuniversalrootca with params");
testTM(getTMF("PKIX", getParams()),
- loadCertificateChain("verisignuniversalrootca"), !distrust);
+ loadCertificateChain("verisignuniversalrootca"),
+ notBefore, isValid);
// test code-signing chain (should be valid as restrictions don't apply)
System.err.println("Testing verisignclass3g5ca code-signing chain");
@@ -95,6 +129,16 @@
// set validation date so this will still pass when cert expires
v.setValidationDate(new Date(1544197375493l));
v.validate(loadCertificateChain("verisignclass3g5ca-codesigning"));
+
+ // test chains issued through subCAs
+ notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020;
+ for (String test : subCAsToTest) {
+ System.err.println("Testing " + test);
+ X509Certificate[] chain = loadCertificateChain(test);
+
+ testTM(sunX509TM, chain, notBefore, isValid);
+ testTM(pkixTM, chain, notBefore, isValid);
+ }
}
private static X509TrustManager getTMF(String type,
@@ -122,12 +166,13 @@
}
private static void testTM(X509TrustManager xtm, X509Certificate[] chain,
- boolean valid) throws Exception {
+ Date notBefore, boolean valid) throws Exception {
// Check if TLS Server certificate (the first element of the chain)
- // is issued after April 16, 2019 (should be rejected unless distrust
- // property is false). To do this, we need to fake the notBefore date
- // since none of the test certs are issued after then.
- chain[0] = new DistrustedTLSServerCert(chain[0], APRIL_17_2019);
+ // is issued after the specified notBefore date (should be rejected
+ // unless distrust property is false). To do this, we need to
+ // fake the notBefore date since none of the test certs are issued
+ // after then.
+ chain[0] = new DistrustedTLSServerCert(chain[0], notBefore);
try {
xtm.checkServerTrusted(chain, "ECDHE_RSA");