| author | ssadetsky |
| Mon, 24 Apr 2017 07:10:37 -0700 (2017-04-24) | |
| changeset 45013 | 03094cd3458e |
| parent 43009 | 5af9f7aa93e5 |
| permissions | -rw-r--r-- |
|
29901
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
1 |
/* |
|
43009
5af9f7aa93e5
8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents:
30820
diff
changeset
|
2 |
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. |
|
29901
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
4 |
* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
8 |
* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
13 |
* accompanied this code). |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
14 |
* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
18 |
* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
21 |
* questions. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
22 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
23 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
24 |
/* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
25 |
* @test |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
26 |
* @bug 8076117 |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
27 |
* @summary EndEntityChecker should not process custom extensions |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
28 |
* after PKIX validation |
| 30820 | 29 |
* @modules java.base/sun.security.validator |
|
29901
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
30 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
31 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
32 |
import java.io.ByteArrayInputStream; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
33 |
import java.io.File; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
34 |
import java.io.FileInputStream; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
35 |
import java.security.KeyStore; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
36 |
import java.security.cert.CertPathValidatorException; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
37 |
import java.security.cert.Certificate; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
38 |
import java.security.cert.CertificateException; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
39 |
import java.security.cert.CertificateFactory; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
40 |
import java.security.cert.PKIXBuilderParameters; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
41 |
import java.security.cert.PKIXCertPathChecker; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
42 |
import java.security.cert.TrustAnchor; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
43 |
import java.security.cert.X509Certificate; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
44 |
import java.util.Collection; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
45 |
import java.util.Date; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
46 |
import java.util.HashSet; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
47 |
import java.util.Set; |
|
43009
5af9f7aa93e5
8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents:
30820
diff
changeset
|
48 |
import sun.security.validator.TrustStoreUtil; |
|
29901
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
49 |
import sun.security.validator.Validator; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
50 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
51 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
52 |
public class EndEntityExtensionCheck {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
53 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
54 |
/* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
55 |
* Owner: CN=TestCA |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
56 |
* Issuer: CN=TestCA |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
57 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
58 |
private static final String CA = |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
59 |
"-----BEGIN CERTIFICATE-----\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
60 |
"MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
61 |
"dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
62 |
"VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
63 |
"EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
64 |
"mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
65 |
"rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
66 |
"Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
67 |
"FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
68 |
"kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
69 |
"oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
70 |
"nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
71 |
"eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
72 |
"8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
73 |
"L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
74 |
"-----END CERTIFICATE-----"; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
75 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
76 |
/* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
77 |
* Owner: CN=TestEE |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
78 |
* Issuer: CN=TestCA |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
79 |
* Contains a custom critical extension with OID 1.2.3.4: |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
80 |
* #1: ObjectId: 1.2.3.4 Criticality=true |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
81 |
* 0000: 00 00 |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
82 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
83 |
private static final String EE = |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
84 |
"-----BEGIN CERTIFICATE-----\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
85 |
"MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
86 |
"dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
87 |
"VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
88 |
"EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
89 |
"mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
90 |
"rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
91 |
"Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
92 |
"FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
93 |
"kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
94 |
"01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
95 |
"tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
96 |
"hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
97 |
"7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
98 |
"mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
99 |
"3ZMpMAjITbuHHlFNUqZ7A9s=\n" + |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
100 |
"-----END CERTIFICATE-----"; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
101 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
102 |
public static void main(String[] args) throws Exception {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
103 |
X509Certificate[] chain = createChain(); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
104 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
105 |
/* Test 1: Test SimpleValidator |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
106 |
* SimpleValidator doesn't check for unsupported critical |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
107 |
* extensions in the end entity certificate, and leaves that up |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
108 |
* to EndEntityChecker, which should catch such extensions. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
109 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
110 |
KeyStore ks = KeyStore.getInstance("JKS");
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
111 |
ks.load(null, null); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
112 |
ks.setCertificateEntry("testca", chain[chain.length - 1]);
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
113 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
114 |
Validator v = Validator.getInstance(Validator.TYPE_SIMPLE, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
115 |
Validator.VAR_TLS_CLIENT, |
|
43009
5af9f7aa93e5
8129988: JSSE should create a single instance of the cacerts KeyStore
xuelei
parents:
30820
diff
changeset
|
116 |
TrustStoreUtil.getTrustedCerts(ks)); |
|
29901
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
117 |
try {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
118 |
v.validate(chain); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
119 |
throw new Exception("Chain should not have validated " +
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
120 |
"successfully."); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
121 |
} catch (CertificateException ex) {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
122 |
// EE cert has an unsupported critical extension that is not |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
123 |
// checked by SimpleValidator's extension checks, so this |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
124 |
// failure is expected |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
125 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
126 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
127 |
/* Test 2: Test PKIXValidator without custom checker |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
128 |
* PKIXValidator accepts PKIXParameters that can contain |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
129 |
* custom PKIXCertPathCheckers, which would be run against |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
130 |
* each cert in the chain, including EE certs. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
131 |
* Check that if PKIXValidator is not provided a custom |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
132 |
* PKIXCertPathChecker for an unknown critical extension in |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
133 |
* the EE cert, chain validation will fail. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
134 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
135 |
TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
136 |
Set<TrustAnchor> tas = new HashSet<>(); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
137 |
tas.add(ta); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
138 |
PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
139 |
params.setDate(new Date(115, 5, 1)); // 2015-05-01 |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
140 |
params.setRevocationEnabled(false); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
141 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
142 |
v = Validator.getInstance(Validator.TYPE_PKIX, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
143 |
Validator.VAR_TLS_CLIENT, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
144 |
params); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
145 |
try {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
146 |
v.validate(chain); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
147 |
throw new Exception("Chain should not have validated " +
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
148 |
"successfully."); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
149 |
} catch (CertificateException ex) {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
150 |
// EE cert has an unsupported critical extension and |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
151 |
// PKIXValidator was not provided any custom checker |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
152 |
// for it, so this failure ie expected. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
153 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
154 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
155 |
/* Test 3: Test PKIXValidator with custom checker |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
156 |
* Check that PKIXValidator will successfully validate a chain |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
157 |
* containing an EE cert with a critical custom extension, given |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
158 |
* a corresponding PKIXCertPathChecker for the extension. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
159 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
160 |
params = new PKIXBuilderParameters(tas, null); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
161 |
params.addCertPathChecker(new CustomChecker()); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
162 |
params.setDate(new Date(115, 5, 1)); // 2015-05-01 |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
163 |
params.setRevocationEnabled(false); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
164 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
165 |
v = Validator.getInstance(Validator.TYPE_PKIX, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
166 |
Validator.VAR_TLS_CLIENT, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
167 |
params); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
168 |
v.validate(chain); // This should validate successfully |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
169 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
170 |
System.out.println("Tests passed.");
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
171 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
172 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
173 |
public static X509Certificate[] createChain() throws Exception {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
174 |
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
175 |
X509Certificate ee = (X509Certificate) |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
176 |
cf.generateCertificate((new ByteArrayInputStream(EE.getBytes()))); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
177 |
X509Certificate ca = (X509Certificate) |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
178 |
cf.generateCertificate((new ByteArrayInputStream(CA.getBytes()))); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
179 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
180 |
X509Certificate[] chain = {ee, ca};
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
181 |
return chain; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
182 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
183 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
184 |
/* |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
185 |
* A custom PKIXCertPathChecker. Looks for a critical extension |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
186 |
* in an end entity certificate with the OID 1.2.3.4. |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
187 |
*/ |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
188 |
static class CustomChecker extends PKIXCertPathChecker {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
189 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
190 |
@Override |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
191 |
public void init(boolean forward) throws CertPathValidatorException {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
192 |
// nothing to do |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
193 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
194 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
195 |
@Override |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
196 |
public boolean isForwardCheckingSupported() {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
197 |
return false; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
198 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
199 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
200 |
@Override |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
201 |
public Set<String> getSupportedExtensions() {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
202 |
Set<String> exts = new HashSet<>(); |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
203 |
exts.add("1.2.3.4");
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
204 |
return exts; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
205 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
206 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
207 |
@Override |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
208 |
public void check(Certificate cert, |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
209 |
Collection<String> unresolvedCritExts) |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
210 |
throws CertPathValidatorException {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
211 |
X509Certificate currCert = (X509Certificate)cert; |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
212 |
// check that this is an EE cert |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
213 |
if (currCert.getBasicConstraints() == -1) {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
214 |
if (unresolvedCritExts != null && |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
215 |
!unresolvedCritExts.isEmpty()) {
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
216 |
unresolvedCritExts.remove("1.2.3.4");
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
217 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
218 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
219 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
220 |
|
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
221 |
} |
|
7288f904fbe8
8076117: EndEntityChecker should not process custom extensions after PKIX validation
juh
parents:
diff
changeset
|
222 |
} |