diff -r 6c846d61ba2f -r 9ee1d7810f50 jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/java/security/cert/PKIXRevocationChecker/OcspUnauthorized.java Fri Sep 06 12:04:18 2013 -0400 @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8023362 + * @summary Make sure Ocsp UNAUTHORIZED response is treated as failure when + * SOFT_FAIL option is set + */ + +import java.io.ByteArrayInputStream; +import java.security.cert.*; +import java.security.cert.PKIXRevocationChecker.Option; +import java.util.Base64; +import java.util.Collections; +import java.util.EnumSet; + +public class OcspUnauthorized { + + private final static String OCSP_RESPONSE = "MAMKAQY="; + + private final static String EE_CERT = + "MIICADCCAWmgAwIBAgIEOvxUmjANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJ1czE" + + "MMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRsYWJzMB4XDTAxMDUxNDIwNDQyMVoXDTI4MD" + + "kyOTIwNDQyMVowOTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEb" + + "GFiczENMAsGA1UECxMEaXNyZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4MmP" + + "GDriFJ+OhDlTuLpHzPy0nawDKyIYUJPZmU9M/pCAUbZewAOyAXGPYVU1og2ZiO9tWBi" + + "ZBeJGoFHEkkhfeqSVb2PsRckiXvPZ3AiSVmdX0uD/a963abmhRMYB1gDO2+jBe3F/DU" + + "pHwpyThchy8tYUMh7Gr7+m/8FwZbdbSpMCAwEAAaMkMCIwDwYDVR0PAQH/BAUDAwekA" + + "DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAME3fmXvES0FVDXSD1iC" + + "TJLf86kUy3H+uMG7h5pOQmcfF1o9PVWlNByVf4r2b4GRgftPQ3Ao0SAvq1aSkW7YpkN" + + "pcartYqNk2E5brPajOC0v+Pkxf/g/pkRTT6Zp+9erGQF4Ta62q0iwOyc3FovSbh0Ph2" + + "WidZRP4qUG5I6JmGkI"; + + private final static String TRUST_ANCHOR = + "MIICIzCCAYygAwIBAgIEOvxT7DANBgkqhkiG9w0BAQQFADAbMQswCQYDVQQGEwJ1czE" + + "MMAoGA1UEChMDc3VuMB4XDTAxMDUxNDIxMDQyOVoXDTI4MDkyOTIxMDQyOVowKjELMA" + + "kGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEbGFiczCBnzANBgkqhkiG9" + + "w0BAQEFAAOBjQAwgYkCgYEA0/16V87rhznCM0y7IqyGcfQBentG+PglA+1hiqCuQY/A" + + "jFiDKr5N+LpcfU28P41E4M+DSDrMIEe4JchRcXeJY6aIVhpOveVV9mgtBaEKlsScrIJ" + + "zmVqM07PG9JENg2FibECnB5TNUSfVbFKfvtAqaZ7Pc971oZVoIePBWnfKV9kCAwEAAa" + + "NlMGMwPwYDVR0eAQH/BDUwM6AxMC+kKjELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1b" + + "jENMAsGA1UECxMEbGFic4ABAzAPBgNVHQ8BAf8EBQMDB6QAMA8GA1UdEwEB/wQFMAMB" + + "Af8wDQYJKoZIhvcNAQEEBQADgYEAfJ5HWd7K5PmX0+Vbsux4SYhoaejDwwgS43BRNa+" + + "AmFq9LIZ+ZcjBMVte8Y3sJF+nz9+1qBaUhNhbaECCqsgmWSwvI+0kUzJXL89k9AdQ8m" + + "AYf6CB6+kaZQBgrdSdqSGz3tCVa2MIK8wmb0ROM40oJ7vt3qSwgFi3UTltxkFfwQ0="; + + private static CertificateFactory cf; + private static Base64.Decoder base64Decoder = Base64.getDecoder(); + + public static void main(String[] args) throws Exception { + cf = CertificateFactory.getInstance("X.509"); + X509Certificate taCert = getX509Cert(TRUST_ANCHOR); + X509Certificate eeCert = getX509Cert(EE_CERT); + CertPath cp = cf.generateCertPath(Collections.singletonList(eeCert)); + + CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); + PKIXRevocationChecker prc = + (PKIXRevocationChecker)cpv.getRevocationChecker(); + prc.setOptions(EnumSet.of(Option.SOFT_FAIL, Option.NO_FALLBACK)); + byte[] response = base64Decoder.decode(OCSP_RESPONSE); + + prc.setOcspResponses(Collections.singletonMap(eeCert, response)); + + TrustAnchor ta = new TrustAnchor(taCert, null); + PKIXParameters params = new PKIXParameters(Collections.singleton(ta)); + + params.addCertPathChecker(prc); + + try { + cpv.validate(cp, params); + throw new Exception("FAILED: expected CertPathValidatorException"); + } catch (CertPathValidatorException cpve) { + cpve.printStackTrace(); + } + } + + private static X509Certificate getX509Cert(String enc) throws Exception { + byte[] bytes = base64Decoder.decode(enc); + ByteArrayInputStream is = new ByteArrayInputStream(bytes); + return (X509Certificate)cf.generateCertificate(is); + } +}