6720721: CRL check with circular depency support needed
Summary: checking AKID of certificates and CRLs
Reviewed-by: mullan, weijun
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Tue May 26 16:19:18 2009 +0800
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Tue May 26 16:43:22 2009 +0800
@@ -339,6 +339,16 @@
debug.println("crl issuer does not equal cert issuer");
}
return false;
+ } else {
+ // in case of self-issued indirect CRL issuer.
+ byte[] certAKID = certImpl.getExtensionValue(
+ PKIXExtensions.AuthorityKey_Id.toString());
+ byte[] crlAKID = crlImpl.getExtensionValue(
+ PKIXExtensions.AuthorityKey_Id.toString());
+
+ if (!Arrays.equals(certAKID, crlAKID)) {
+ indirectCRL = true;
+ }
}
if (!indirectCRL && !signFlag) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,193 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLOneLevel {
+
+ static String selfSignedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+ "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+ "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+ "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+ "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+ "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+ "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+ "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+ "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+ "Vjw=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String subCaCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+ "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+ "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+ "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+ "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+ "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+ "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+ "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+ "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+ "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String targetCertStr = subCaCertStr;
+
+ static String crlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+ "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+ "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+ "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+ "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+ "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+ "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+ "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+ "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String crlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+ "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+ "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+ "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+ "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+ "-----END X509 CRL-----";
+
+ private static CertPath generateCertificatePath()
+ throws CertificateException {
+ // generate certificate from cert strings
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is;
+
+ is = new ByteArrayInputStream(targetCertStr.getBytes());
+ Certificate targetCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate certification path
+ List<Certificate> list = Arrays.asList(new Certificate[] {
+ targetCert, selfSignedCert});
+
+ return cf.generateCertPath(list);
+ }
+
+ private static Set<TrustAnchor> generateTrustAnchors()
+ throws CertificateException {
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate a trust anchor
+ TrustAnchor anchor =
+ new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+ return Collections.singleton(anchor);
+ }
+
+ private static CertStore generateCertificateStore() throws Exception {
+ // generate CRL from CRL string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(crlStr.getBytes());
+
+ // generate a cert store
+ Collection crls = cf.generateCRLs(is);
+
+ is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+ Collection certs = cf.generateCertificates(is);
+
+ Collection entries = new HashSet();
+ entries.addAll(crls);
+ entries.addAll(certs);
+
+ return CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(entries));
+ }
+
+ public static void main(String args[]) throws Exception {
+ CertPath path = generateCertificatePath();
+ Set<TrustAnchor> anchors = generateTrustAnchors();
+ CertStore crls = generateCertificateStore();
+
+ PKIXParameters params = new PKIXParameters(anchors);
+
+ // add the CRL store
+ params.addCertStore(crls);
+
+ // Activate certificate revocation checking
+ params.setRevocationEnabled(true);
+
+ // set the validation time
+ params.setDate(new Date(109, 5, 1)); // 2009-05-01
+
+ // disable OCSP checker
+ Security.setProperty("ocsp.enable", "false");
+
+ // enable CRL checker
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+
+ CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+ try {
+ validator.validate(path, params);
+ } catch (CertPathValidatorException cpve) {
+ if (cpve.getReason() != BasicReason.REVOKED) {
+ throw new Exception(
+ "unexpect exception, should be a REVOKED CPVE", cpve);
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,196 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLOneLevelRevoked {
+
+ static String selfSignedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+ "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+ "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+ "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+ "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+ "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+ "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+ "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+ "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+ "Vjw=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String dumCaCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" +
+ "0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" +
+ "bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" +
+ "f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" +
+ "/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+ "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+ "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" +
+ "EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" +
+ "TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" +
+ "mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" +
+ "-----END CERTIFICATE-----";
+
+ // a revoked certificate
+ static String targetCertStr = dumCaCertStr;
+
+ static String crlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+ "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+ "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+ "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+ "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+ "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+ "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+ "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+ "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String crlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+ "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+ "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+ "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+ "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+ "-----END X509 CRL-----";
+
+ private static CertPath generateCertificatePath()
+ throws CertificateException {
+ // generate certificate from cert strings
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is;
+
+ is = new ByteArrayInputStream(targetCertStr.getBytes());
+ Certificate targetCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate certification path
+ List<Certificate> list = Arrays.asList(new Certificate[] {
+ targetCert, selfSignedCert});
+
+ return cf.generateCertPath(list);
+ }
+
+ private static Set<TrustAnchor> generateTrustAnchors()
+ throws CertificateException {
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate a trust anchor
+ TrustAnchor anchor =
+ new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+ return Collections.singleton(anchor);
+ }
+
+ private static CertStore generateCertificateStore() throws Exception {
+ // generate CRL from CRL string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(crlStr.getBytes());
+
+ // generate a cert store
+ Collection crls = cf.generateCRLs(is);
+
+ is = new ByteArrayInputStream(crlIssuerCertStr.getBytes());
+ Collection certs = cf.generateCertificates(is);
+
+ Collection entries = new HashSet();
+ entries.addAll(crls);
+ entries.addAll(certs);
+
+ return CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(entries));
+ }
+
+ public static void main(String args[]) throws Exception {
+ CertPath path = generateCertificatePath();
+ Set<TrustAnchor> anchors = generateTrustAnchors();
+ CertStore crls = generateCertificateStore();
+
+ PKIXParameters params = new PKIXParameters(anchors);
+
+ // add the CRL store
+ params.addCertStore(crls);
+
+ // Activate certificate revocation checking
+ params.setRevocationEnabled(true);
+
+ // set the validation time
+ params.setDate(new Date(109, 5, 1)); // 2009-05-01
+
+ // disable OCSP checker
+ Security.setProperty("ocsp.enable", "false");
+
+ // enable CRL checker
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+
+ CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+ try {
+ validator.validate(path, params);
+ throw new Exception("unexpected status, should be REVOKED");
+ } catch (CertPathValidatorException cpve) {
+ if (cpve.getReason() != BasicReason.REVOKED) {
+ throw new Exception(
+ "unexpected exception, should be a REVOKED CPVE", cpve);
+ }
+ }
+
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,245 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLTwoLevel {
+
+ static String selfSignedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+ "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+ "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+ "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+ "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+ "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+ "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+ "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+ "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+ "Vjw=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String subCaCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+ "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+ "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+ "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+ "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+ "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+ "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+ "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+ "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+ "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String targetCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
+ "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+ "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+ "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
+ "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
+ "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
+ "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
+ "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
+ "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
+ "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
+ "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String topCrlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+ "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+ "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+ "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+ "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+ "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+ "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+ "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+ "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String subCrlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
+ "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
+ "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
+ "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
+ "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
+ "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
+ "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
+ "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
+ "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
+ "rg==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String topCrlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+ "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+ "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+ "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+ "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+ "-----END X509 CRL-----";
+
+ static String subCrlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
+ "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
+ "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
+ "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
+ "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
+ "ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
+ "-----END X509 CRL-----";
+
+ private static CertPath generateCertificatePath()
+ throws CertificateException {
+ // generate certificate from cert strings
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is;
+
+ is = new ByteArrayInputStream(targetCertStr.getBytes());
+ Certificate targetCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(subCaCertStr.getBytes());
+ Certificate subCaCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate certification path
+ List<Certificate> list = Arrays.asList(new Certificate[] {
+ targetCert, subCaCert, selfSignedCert});
+
+ return cf.generateCertPath(list);
+ }
+
+ private static Set<TrustAnchor> generateTrustAnchors()
+ throws CertificateException {
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate a trust anchor
+ TrustAnchor anchor =
+ new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+ return Collections.singleton(anchor);
+ }
+
+ private static CertStore generateCertificateStore() throws Exception {
+ Collection entries = new HashSet();
+
+ // generate CRL from CRL string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(topCrlStr.getBytes());
+ Collection mixes = cf.generateCRLs(is);
+ entries.addAll(mixes);
+
+ is = new ByteArrayInputStream(subCrlStr.getBytes());
+ mixes = cf.generateCRLs(is);
+ entries.addAll(mixes);
+
+ // intermediate certs
+ is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
+ mixes = cf.generateCertificates(is);
+ entries.addAll(mixes);
+
+ is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
+ mixes = cf.generateCertificates(is);
+ entries.addAll(mixes);
+
+ return CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(entries));
+ }
+
+ public static void main(String args[]) throws Exception {
+ CertPath path = generateCertificatePath();
+ Set<TrustAnchor> anchors = generateTrustAnchors();
+ CertStore crls = generateCertificateStore();
+
+ PKIXParameters params = new PKIXParameters(anchors);
+
+ // add the CRL store
+ params.addCertStore(crls);
+
+ // Activate certificate revocation checking
+ params.setRevocationEnabled(true);
+
+ // set the validation time
+ params.setDate(new Date(109, 5, 1)); // 2009-05-01
+
+ // disable OCSP checker
+ Security.setProperty("ocsp.enable", "false");
+
+ // enable CRL checker
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+
+ CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+ try {
+ validator.validate(path, params);
+ } catch (CertPathValidatorException cpve) {
+ if (cpve.getReason() != BasicReason.REVOKED) {
+ throw new Exception(
+ "unexpect exception, should be a REVOKED CPVE", cpve);
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,247 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6720721
+ * @summary CRL check with circular depency support needed
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class CircularCRLTwoLevelRevoked {
+
+ static String selfSignedCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
+ "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
+ "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
+ "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
+ "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+ "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+ "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
+ "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
+ "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
+ "Vjw=\n" +
+ "-----END CERTIFICATE-----";
+
+ static String subCaCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
+ "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
+ "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
+ "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
+ "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
+ "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+ "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
+ "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
+ "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
+ "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
+ "-----END CERTIFICATE-----";
+
+ // a revoked certificate
+ static String targetCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
+ "MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+ "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n" +
+ "9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n" +
+ "1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n" +
+ "+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n" +
+ "FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n" +
+ "tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
+ "9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n" +
+ "5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n" +
+ "tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String topCrlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+ "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+ "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+ "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+ "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+ "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+ "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+ "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+ "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+ "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+ "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String subCrlIssuerCertStr =
+ "-----BEGIN CERTIFICATE-----\n" +
+ "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+ "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
+ "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+ "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
+ "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
+ "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
+ "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
+ "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
+ "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
+ "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
+ "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
+ "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
+ "rg==\n" +
+ "-----END CERTIFICATE-----";
+
+ static String topCrlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+ "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+ "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+ "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+ "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+ "-----END X509 CRL-----";
+
+ static String subCrlStr =
+ "-----BEGIN X509 CRL-----\n" +
+ "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+ "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
+ "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
+ "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
+ "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
+ "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
+ "ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
+ "-----END X509 CRL-----";
+
+ private static CertPath generateCertificatePath()
+ throws CertificateException {
+ // generate certificate from cert strings
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is;
+
+ is = new ByteArrayInputStream(targetCertStr.getBytes());
+ Certificate targetCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(subCaCertStr.getBytes());
+ Certificate subCaCert = cf.generateCertificate(is);
+
+ is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate certification path
+ List<Certificate> list = Arrays.asList(new Certificate[] {
+ targetCert, subCaCert, selfSignedCert});
+
+ return cf.generateCertPath(list);
+ }
+
+ private static Set<TrustAnchor> generateTrustAnchors()
+ throws CertificateException {
+ // generate certificate from cert string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(selfSignedCertStr.getBytes());
+ Certificate selfSignedCert = cf.generateCertificate(is);
+
+ // generate a trust anchor
+ TrustAnchor anchor =
+ new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+ return Collections.singleton(anchor);
+ }
+
+ private static CertStore generateCertificateStore() throws Exception {
+ Collection entries = new HashSet();
+
+ // generate CRL from CRL string
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+ ByteArrayInputStream is =
+ new ByteArrayInputStream(topCrlStr.getBytes());
+ Collection mixes = cf.generateCRLs(is);
+ entries.addAll(mixes);
+
+ is = new ByteArrayInputStream(subCrlStr.getBytes());
+ mixes = cf.generateCRLs(is);
+ entries.addAll(mixes);
+
+ // intermediate certs
+ is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
+ mixes = cf.generateCertificates(is);
+ entries.addAll(mixes);
+
+ is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
+ mixes = cf.generateCertificates(is);
+ entries.addAll(mixes);
+
+ return CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(entries));
+ }
+
+ public static void main(String args[]) throws Exception {
+ CertPath path = generateCertificatePath();
+ Set<TrustAnchor> anchors = generateTrustAnchors();
+ CertStore crls = generateCertificateStore();
+
+ PKIXParameters params = new PKIXParameters(anchors);
+
+ // add the CRL store
+ params.addCertStore(crls);
+
+ // Activate certificate revocation checking
+ params.setRevocationEnabled(true);
+
+ // set the validation time
+ params.setDate(new Date(109, 5, 1)); // 2009-05-01
+
+ // disable OCSP checker
+ Security.setProperty("ocsp.enable", "false");
+
+ // enable CRL checker
+ System.setProperty("com.sun.security.enableCRLDP", "true");
+
+ CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+ try {
+ validator.validate(path, params);
+ throw new Exception("unexpected status, should be REVOKED");
+ } catch (CertPathValidatorException cpve) {
+ if (cpve.getReason() != BasicReason.REVOKED) {
+ throw new Exception(
+ "unexpect exception, should be a REVOKED CPVE", cpve);
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/README Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,373 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+ Certificates and CRLs
+
+Here lists the Certificates and CRLs, which was generated by generate.sh,
+used in the test cases.
+
+The generate.sh depends on openssl, and it should be run under ksh. The
+script will create many directories and files, please run it in a
+directory outside of JDK workspace.
+
+1. root certifiate and key
+-----BEGIN CERTIFICATE-----
+MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa
+MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ
+Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n
+jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID
+AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME
+QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO
+BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw
+DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0
+484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye
+iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz
+Vjw=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,407A749DF8F6338E
+
+4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8
+0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b
+WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E
+AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu
+UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI
+b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/
+holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX
+JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY
+xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11
+pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6
+yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX
+NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75
+yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw==
+-----END RSA PRIVATE KEY-----
+
+2. root crl issuer and key
+-----BEGIN CERTIFICATE-----
+MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa
+MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC
+SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ
+atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID
+AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw
+PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD
+VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY
+eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP
+FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck
+uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4
+
+cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0
+KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R
+gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0
+ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO
+f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a
+Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN
+S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW
+moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/
+0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn
+2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV
+ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8
+iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3
+18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k=
+-----END RSA PRIVATE KEY-----
+
+3. root CRL issued by root crl issuer.
+-----BEGIN X509 CRL-----
+MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX
+DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ
+KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY
+CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg
+oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=
+-----END X509 CRL-----
+
+4. subca certificate and key
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj
+8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG
+Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8
+P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr
+IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
+HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj
+UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF
+hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ
+7cXP6VDeZMG6oRQ4hbOcixoFPXo=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0
+
+8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY
+HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp
+8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t
+UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5
+UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s
+D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB
+Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW
+jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn
+aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U
+bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If
+A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ
+kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk
+uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA==
+-----END RSA PRIVATE KEY-----
+
+5. crl issuer of subca, the certificate and key
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd
+LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N
+4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm
+6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60
+jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
+CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
+BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX
+QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3
+bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M
+rg==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3
+
+KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ
+4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H
+CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ
+Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS
+4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc
+KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap
++ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee
+5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo
+lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m
+2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB
+4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144
+UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua
+oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ==
+-----END RSA PRIVATE KEY-----
+
+6. CLR issued by subca CRL issuer
+-----BEGIN X509 CRL-----
+MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw
+NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO
+MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr
+aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX
+nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa
+ARGr6Qu68MYGtLMC6ZqP3u0=
+-----END X509 CRL-----
+
+7. dumca certificate and key
+-----BEGIN CERTIFICATE-----
+MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc
+0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W
+bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4
+f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL
+/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
+HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
+AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05
+EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp
+TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs
+mihnXyZWWTA1sPZlVJu7/abJ2v0=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3
+
+KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f
+afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi
+VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK
+7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU
+6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh
+Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn
+nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ
+IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o
+6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl
+NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv
+iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp
+q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0
+nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A==
+-----END RSA PRIVATE KEY-----
+
+8. crl issuer for dumca, the certificate and key
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
+MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
+cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv
+s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn
+edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2
+AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY
+sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
+CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
+BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm
+2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi
+SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6
+5g==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5
+
+V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j
+3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4
+LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw
+ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M
+gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ
+OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y
+ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2
+kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2
+1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c
+skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx
+3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC
+a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV
+dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA==
+-----END RSA PRIVATE KEY-----
+
+9. end entity certificate issued by subca, Alice
+-----BEGIN CERTIFICATE-----
+MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK
+ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2
+V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/
+pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE
+4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
+9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR
+wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3
+Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3616B3F098ED6707
+
+uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y
+tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr
+zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO
+Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP
+PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy
+3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c
+5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK
+fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ
+Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT
+dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn
+fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx
+jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI
+F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ=
+-----END RSA PRIVATE KEY-----
+
+10. end entity certificate issued by subca, Bob
+-----BEGIN CERTIFICATE-----
+MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
+AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll
++utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u
+txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT
+AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR
+rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN
+AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi
+C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob
+N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg=
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72
+
+cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12
+ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC
+5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T
+yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF
+S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV
+wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu
+2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB
+nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1
+yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr
+gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp
+TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn
+XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3
+/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g==
+-----END RSA PRIVATE KEY-----
+
+10. end entity certificate issued by subca, Susan
+-----BEGIN CERTIFICATE-----
+MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
+MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
+MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
+cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR
+1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ
++rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo
+FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is
+tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
+9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f
+5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi
+tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==
+-----END CERTIFICATE-----
+
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A
+
+YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ
+5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm
+ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O
+7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f
+P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0
+KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY
+BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz
+AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V
+cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb
+47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C
+ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA
+fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI
+TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg==
+-----END RSA PRIVATE KEY-----
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,221 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#!/bin/ksh
+#
+# needs ksh to run the script.
+
+# generate a self-signed root certificate
+if [ ! -f root/root_cert.pem ]; then
+ if [ ! -d root ]; then
+ mkdir root
+ fi
+
+ openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
+ -out root/root_cert.pem -subj "/C=US/O=Example" \
+ -config openssl.cnf -reqexts cert_issuer -days 7650 \
+ -passin pass:passphrase -passout pass:passphrase
+fi
+
+# generate a sele-issued root crl issuer certificate
+if [ ! -f root/top_crlissuer_cert.pem ]; then
+ if [ ! -d root ]; then
+ mkdir root
+ fi
+
+ openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
+ -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
+ -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
+ -extensions crl_issuer -CA root/root_cert.pem \
+ -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
+ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+ -passin pass:passphrase
+fi
+
+# generate subca cert issuer and crl iuuser certificates
+if [ ! -f subca/subca_cert.pem ]; then
+ if [ ! -d subca ]; then
+ mkdir subca
+ fi
+
+ openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
+ -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+ -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
+ -extensions cert_issuer -CA root/root_cert.pem \
+ -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
+ -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+ openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
+ -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+ -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
+ -extensions crl_issuer -CA root/root_cert.pem \
+ -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
+ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+ -passin pass:passphrase
+fi
+
+# generate dumca cert issuer and crl iuuser certificates
+if [ ! -f dumca/dumca_cert.pem ]; then
+ if [ ! -d sumca ]; then
+ mkdir dumca
+ fi
+
+ openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
+ -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
+ -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
+ -extensions cert_issuer -CA root/root_cert.pem \
+ -CAkey root/root_key.pem -out dumca/dumca_cert.pem \
+ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+ -passin pass:passphrase
+
+ openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
+ -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
+ -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
+ -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
+ -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
+ -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+ -passin pass:passphrase
+fi
+
+# generate certifiacte for Alice
+if [ ! -f subca/alice/alice_cert.pem ]; then
+ if [ ! -d subca/alice ]; then
+ mkdir -p subca/alice
+ fi
+
+ openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
+ -out subca/alice/alice_req.pem \
+ -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
+ -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in subca/alice/alice_req.pem \
+ -extfile openssl.cnf -extensions ee_of_subca \
+ -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+ -out subca/alice/alice_cert.pem -CAcreateserial \
+ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Bob
+if [ ! -f subca/bob/bob_cert.pem ]; then
+ if [ ! -d subca/bob ]; then
+ mkdir -p subca/bob
+ fi
+
+ openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
+ -out subca/bob/bob_req.pem \
+ -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
+ -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in subca/bob/bob_req.pem \
+ -extfile openssl.cnf -extensions ee_of_subca \
+ -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+ -out subca/bob/bob_cert.pem -CAcreateserial \
+ -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Susan
+if [ ! -f subca/susan/susan_cert.pem ]; then
+ if [ ! -d subca/susan ]; then
+ mkdir -p subca/susan
+ fi
+
+ openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
+ -out subca/susan/susan_req.pem \
+ -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
+ -passin pass:passphrase -passout pass:passphrase
+
+ openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
+ -extensions ee_of_subca -CA subca/subca_cert.pem \
+ -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
+ -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
+ -passin pass:passphrase
+fi
+
+
+# generate the top CRL
+if [ ! -f root/top_crl.pem ]; then
+ if [ ! -d root ]; then
+ mkdir root
+ fi
+
+ if [ ! -f root/index.txt ]; then
+ touch root/index.txt
+ echo 00 > root/crlnumber
+ fi
+
+ openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
+ -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
+ -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
+ -passin pass:passphrase
+fi
+
+# revoke dumca
+openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
+ -name ca_top -crl_reason superseded \
+ -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
+ -passin pass:passphrase
+
+openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
+ -crl_reason superseded -keyfile root/top_crlissuer_key.pem \
+ -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
+ -passin pass:passphrase
+
+# revoke for subca
+if [ ! -f subca/subca_crl.pem ]; then
+ if [ ! -d subca ]; then
+ mkdir subca
+ fi
+
+ if [ ! -f subca/index.txt ]; then
+ touch subca/index.txt
+ echo 00 > subca/crlnumber
+ fi
+
+ openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
+ -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
+ -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
+ -passin pass:passphrase
+fi
+
+# revoke susan
+openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
+ -name ca_subca -crl_reason superseded \
+ -keyfile subca/subca_crlissuer_key.pem \
+ -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
+
+openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
+ -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
+ -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
+ -passin pass:passphrase
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf Tue May 26 16:43:22 2009 +0800
@@ -0,0 +1,206 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#
+# OpenSSL configuration file.
+#
+
+HOME = .
+RANDFILE = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir = ./top
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+unique_subject = no
+new_certs_dir = $dir/newcerts
+certificate = $dir/cacert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+crl = $dir/crl.pem
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+x509_extensions = v3_ca
+
+name_opt = ca_default
+cert_opt = ca_default
+
+default_days = 7650
+default_crl_days = 30
+default_md = sha1
+preserve = no
+
+policy = policy_anything
+
+[ ca_top ]
+dir = ./root
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+unique_subject = no
+new_certs_dir = $dir/newcerts
+certificate = $dir/cacert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+crl = $dir/crl.pem
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+
+x509_extensions = v3_ca
+
+name_opt = ca_default
+cert_opt = ca_default
+
+default_days = 7650
+default_crl_days = 30
+default_md = sha1
+preserve = no
+
+policy = policy_anything
+
+[ ca_subca ]
+dir = ./subca
+certs = $dir/certs
+crl_dir = $dir/crl
+database = $dir/index.txt
+unique_subject = no
+new_certs_dir = $dir/newcerts
+
+certificate = $dir/cacert.pem
+serial = $dir/serial
+crlnumber = $dir/crlnumber
+crl = $dir/crl.pem
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+
+x509_extensions = usr_cert
+
+name_opt = ca_default
+cert_opt = ca_default
+
+default_days = 7650
+default_crl_days = 30
+default_md = sha1
+preserve = no
+
+policy = policy_anything
+
+[ policy_match ]
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = NO
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = A-State
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = Internet Widgits Pty Ltd
+
+organizationalUnitName = Organizational Unit Name (eg, section)
+
+commonName = Common Name (eg, YOUR name)
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+unstructuredName = An optional company name
+
+
+[ usr_cert ]
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+
+[ cert_issuer ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+basicConstraints = critical,CA:true
+keyUsage = keyCertSign
+
+
+[ crl_issuer ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = cRLSign
+
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ ee_of_subca ]
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer