/* * Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @bug 8132926 * @summary PKIXParameters built with public key form of TrustAnchor causes * NPE during cert path building/validation * @run main ValWithAnchorByName */ import java.io.ByteArrayInputStream; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CertPath; import java.security.cert.CertPathValidator; import java.security.cert.PKIXParameters; import java.security.cert.PKIXRevocationChecker; import java.security.cert.TrustAnchor; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Base64; import java.util.Collections; import java.util.Date; import java.util.List; import java.util.Map; import java.util.HashMap; // To get certpath debugging, add -Djava.security.debug=certpath public class ValWithAnchorByName { // The following certificates and OCSP responses were captured from // a test run that used certificates and responses generated by // jdk.test.lib.security.CertificateBuilder and // jdk.test.lib.security.SimpleOCSPServer. // Subject: CN=SSLCertificate, O=SomeCompany // Issuer: CN=Intermediate CA Cert, O=SomeCompany // Validity: Tue Aug 30 14:37:19 PDT 2016 to Wed Aug 30 14:37:19 PDT 2017 private static final String EE_CERT = "-----BEGIN CERTIFICATE-----\n" + "MIIDnTCCAoWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwNTEUMBIGA1UEChMLU29t\n" + "ZUNvbXBhbnkxHTAbBgNVBAMTFEludGVybWVkaWF0ZSBDQSBDZXJ0MB4XDTE2MDgz\n" + "MDIxMzcxOVoXDTE3MDgzMDIxMzcxOVowLzEUMBIGA1UEChMLU29tZUNvbXBhbnkx\n" + "FzAVBgNVBAMTDlNTTENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n" + "MIIBCgKCAQEAjgv8KKE4CO0rbCjRLA1hXjRiSq30jeusCJ8frbRG+QOBgQ3j6jgc\n" + "vk5wG1aTu7R4AFn0/HRDMzP9ZbRlZVIbJUTd8YiaNyZeyWapPnxHWrPCd5e1xopk\n" + "ElieDdEH5FiLGtIrWy56CGA1hfQb1vUVYegyeY+TTtMFVHt0PrmMk4ZRgj/GtVNp\n" + "BQQYIzaYAcrcWMeCn30ZrhaGAL1hsdgmEVV1wsTD4JeNMSwLwMYem7fg8ondGZIR\n" + "kZuGtuSdOHu4Xz+mgDNXTeX/Bp/dQFucxCG+FOOM9Hoz72RY2W8YqgL38RlnwYWp\n" + "nUNxhXWFH6vyINRQVEu3IgahR6HXjxM7LwIDAQABo4G8MIG5MBQGA1UdEQQNMAuC\n" + "CWxvY2FsaG9zdDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9s\n" + "b2NhbGhvc3Q6NDIzMzMwHwYDVR0jBBgwFoAUYT525lwHCI4CmuWs8a7poaeKRJ4w\n" + "HQYDVR0OBBYEFCaQnOX4L1ovqyfeKuoay+kI+lXgMA4GA1UdDwEB/wQEAwIFoDAd\n" + "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEB\n" + "AD8dqQIqFasJcL8lm4mPTsBl0JgNiN8tQcXM7VCvcH+yDvEyh9vudDjuhpSORqPq\n" + "f1o/EvJ+gfs269mBnYQujYRvmSd6EAcBntv5zn6amOh03o6PqTY9KaUC/mL9hB84\n" + "Y5/LYioP16sME7egKnlrGUgKh0ZvGzm7c3SYx3Z5YoeFBOkZajc7Jm+cBw/uBQkF\n" + "a9mLEczIvOgkq1wto8vr2ptH1gEuvFRcorN3muvq34bk40G08+AHlP3fCLFpI3FA\n" + "IStJLJZRcO+Ib4sOcKuaBGnuMo/QVOCEMDUs6RgiWtSd93OZKFIUOASVp6YIkcSs\n" + "5/rmc06sICqBjLfPEB68Jjw=\n" + "-----END CERTIFICATE-----"; // Subject: CN=Intermediate CA Cert, O=SomeCompany // Issuer: CN=Root CA Cert, O=SomeCompany // Validity: Sun Aug 07 14:37:19 PDT 2016 to Tue Aug 07 14:37:19 PDT 2018 private static final String INT_CA_CERT = "-----BEGIN CERTIFICATE-----\n" + "MIIDdjCCAl6gAwIBAgIBZDANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtTb21l\n" + "Q29tcGFueTEVMBMGA1UEAxMMUm9vdCBDQSBDZXJ0MB4XDTE2MDgwNzIxMzcxOVoX\n" + "DTE4MDgwNzIxMzcxOVowNTEUMBIGA1UEChMLU29tZUNvbXBhbnkxHTAbBgNVBAMT\n" + "FEludGVybWVkaWF0ZSBDQSBDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" + "CgKCAQEAnJR5CnE7GKlQjigExSJ6hHu302mc0PcA6TDgsIitPYD/r8RBbBuE51OQ\n" + "7IP7AXmfPUV3/+pO/uxx6mgY5O6XeUl7KadhVPtPcL0BVVevCSOdTMVa3iV4zRpa\n" + "C6Uy2ouUFnafKnDtlbieggyETUoNgVNJYA9L0XNhtSnENoLHC4Pq0v8OsNtsOWFR\n" + "NiMTOA49NNDBw85WgPyFAxjqO4z0J0zxdWq3W4rSMB8xrkulv2Rvj3GcfYJK/ab8\n" + "V1IJ6PMWCpujASY3BzvYPnN7BKuBjbWJPgZdPYfX1cxeG80u0tOuMfWWiNONSMSA\n" + "7m9y304QA0gKqlrFFn9U4hU89kv1IwIDAQABo4GYMIGVMA8GA1UdEwEB/wQFMAMB\n" + "Af8wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0\n" + "OjM5MTM0MB8GA1UdIwQYMBaAFJNMsejEyJUB9tiWycVczvpiMVQZMB0GA1UdDgQW\n" + "BBRhPnbmXAcIjgKa5azxrumhp4pEnjAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN\n" + "AQELBQADggEBAE4nOFdW9OirPnRvxihQXYL9CXLuGQz5tr0XgN8wSY6Un9b6CRiK\n" + "7obgIGimVdhvUC1qdRcwJqgOfJ2/jR5/5Qo0TVp+ww4dHNdUoj73tagJ7jTu0ZMz\n" + "5Zdp0uwd4RD/syvTeVcbPc3m4awtgEvRgzpDMcSeKPZWInlo7fbnowKSAUAfO8de\n" + "0cDkxEBkzPIzGNu256cdLZOqOK9wLJ9mQ0zKgi/2NsldNc2pl/6jkGpA6uL5lJsm\n" + "fo9sDusWNHV1YggqjDQ19hrf40VuuC9GFl/qAW3marMuEzY/NiKVUxty1q1s48SO\n" + "g5LoEPDDkbygOt7ICL3HYG1VufhC1Q2YY9c=\n" + "-----END CERTIFICATE-----"; // Subject: CN=Root CA Cert, O=SomeCompany // Issuer: CN=Root CA Cert, O=SomeCompany // Validity: Fri Jul 08 14:37:18 PDT 2016 to Fri Jun 28 14:37:18 PDT 2019 private static final String ROOT_CA_CERT = "-----BEGIN CERTIFICATE-----\n" + "MIIDODCCAiCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAtMRQwEgYDVQQKEwtTb21l\n" + "Q29tcGFueTEVMBMGA1UEAxMMUm9vdCBDQSBDZXJ0MB4XDTE2MDcwODIxMzcxOFoX\n" + "DTE5MDYyODIxMzcxOFowLTEUMBIGA1UEChMLU29tZUNvbXBhbnkxFTATBgNVBAMT\n" + "DFJvb3QgQ0EgQ2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIlN\n" + "M3WYEqkU2elXEZrV9QSDbDKwyaLEHafLFciH8Edoag3q/7jEzFJxI7JZ831tdbWQ\n" + "Bm6Hgo+8pvetOFW1BckL8eIjyOONP2CKfFaeMaozsWi1cgxa+rjpU/Rekc+zBqvv\n" + "y4Sr97TwT6nQiLlgjC1nCfR1SVpO51qoDChS7n785rsKEZxw/p+kkVWSZffU7zN9\n" + "c645cPg//L/kjiyeKMkaquGQOYS68gQgy8YZXQv1E3l/8e8Ci1s1DYA5wpCbaBqg\n" + "Tw84Rr4zlUEQBgXzQlRt+mPzeaDpdG1EeGkXrcdkZ+0EMELoOVXOEn6VNsz6vT3I\n" + "KrnvQBSnN06xq/iWwC0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME\n" + "GDAWgBSTTLHoxMiVAfbYlsnFXM76YjFUGTAdBgNVHQ4EFgQUk0yx6MTIlQH22JbJ\n" + "xVzO+mIxVBkwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAAi+Nl\n" + "sxP9t2IhiZIHRJGSBZuQlXIjwYIwbq3ZWc/ApZ+0oxtl7DYQi5uRNt8/opcGNCHc\n" + "IY0fG93SbkDubXbxPYBW6D/RUjbz59ZryaP5ym55p1MjHTOqy+AM8g41xNTJikc3\n" + "UUFXXnckeFbawijCsb7vf71owzKuxgBXi9n1rmXXtncKoA/LrUVXoUlKefdgDnsU\n" + "sl3Q29eibE3HSqziMMoAOLm0jjekFGWIgLeTtyRYR1d0dNaUwsHTrQpPjxxUTn1x\n" + "sAPpXKfzPnsYAZeeiaaE75GwbWlHzrNinvxdZQd0zctpfBJfVqD/+lWANlw+rOaK\n" + "J2GyCaJINsyaI/I2\n" + "-----END CERTIFICATE-----"; // OCSP Response Status: successful (0x0) // Response Type: Basic OCSP Response // Version: 1 (0x0) // Responder Id: CN=Intermediate CA Cert, O=SomeCompany // Produced At: Sep 6 21:37:20 2016 GMT // Responses: // Certificate ID: // Hash Algorithm: sha1 // Issuer Name Hash: 7ED23D4396152EAB7D0C4AD8C1CA1418AA05DD54 // Issuer Key Hash: 613E76E65C07088E029AE5ACF1AEE9A1A78A449E // Serial Number: 1000 // Cert Status: good // This Update: Sep 6 21:37:20 2016 GMT // Next Update: Sep 6 22:37:19 2016 GMT private static final String EE_OCSP_RESP = "MIIFbAoBAKCCBWUwggVhBgkrBgEFBQcwAQEEggVSMIIFTjCBtaE3MDUxFDASBgNV\n" + "BAoTC1NvbWVDb21wYW55MR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgQ2VydBgP\n" + "MjAxNjA5MDYyMTM3MjBaMGUwYzA7MAkGBSsOAwIaBQAEFH7SPUOWFS6rfQxK2MHK\n" + "FBiqBd1UBBRhPnbmXAcIjgKa5azxrumhp4pEngICEACAABgPMjAxNjA5MDYyMTM3\n" + "MjBaoBEYDzIwMTYwOTA2MjIzNzE5WqECMAAwDQYJKoZIhvcNAQELBQADggEBAF13\n" + "cLwxDG8UYPIbzID86vZGOWUuv5c35VnvebMk/ajAUdpItDYshIQVi90Z8BB2TEi/\n" + "wtx1aNkIv7db0uQ0NnRfvME8vG2PWbty36CNAYr/M5UVzUmELH2sGTyf2fKfNIUK\n" + "Iya/NRxCqxLAc34NYH0YyGJ9VcDjbEMNSBAHIqDdBNqKUPnjn454yoivU2oEs294\n" + "cGePMx3QLyPepMwUss8nW74yIF7vxfJ+KFDBGWNuZDRfXScsGIoeM0Vt9B+4fmnV\n" + "nP4Dw6l3IwmQH4ppjg08qTKvyrXcF2dPDWa98Xw6bA5G085Z/b/6/6GpkvKx/q6i\n" + "UqKwF7q5hkDcB+N4/5SgggN+MIIDejCCA3YwggJeoAMCAQICAWQwDQYJKoZIhvcN\n" + "AQELBQAwLTEUMBIGA1UEChMLU29tZUNvbXBhbnkxFTATBgNVBAMTDFJvb3QgQ0Eg\n" + "Q2VydDAeFw0xNjA4MDcyMTM3MTlaFw0xODA4MDcyMTM3MTlaMDUxFDASBgNVBAoT\n" + "C1NvbWVDb21wYW55MR0wGwYDVQQDExRJbnRlcm1lZGlhdGUgQ0EgQ2VydDCCASIw\n" + "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJyUeQpxOxipUI4oBMUieoR7t9Np\n" + "nND3AOkw4LCIrT2A/6/EQWwbhOdTkOyD+wF5nz1Fd//qTv7scepoGOTul3lJeymn\n" + "YVT7T3C9AVVXrwkjnUzFWt4leM0aWgulMtqLlBZ2nypw7ZW4noIMhE1KDYFTSWAP\n" + "S9FzYbUpxDaCxwuD6tL/DrDbbDlhUTYjEzgOPTTQwcPOVoD8hQMY6juM9CdM8XVq\n" + "t1uK0jAfMa5Lpb9kb49xnH2CSv2m/FdSCejzFgqbowEmNwc72D5zewSrgY21iT4G\n" + "XT2H19XMXhvNLtLTrjH1lojTjUjEgO5vct9OEANICqpaxRZ/VOIVPPZL9SMCAwEA\n" + "AaOBmDCBlTAPBgNVHRMBAf8EBTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF\n" + "BQcwAYYWaHR0cDovL2xvY2FsaG9zdDozOTEzNDAfBgNVHSMEGDAWgBSTTLHoxMiV\n" + "AfbYlsnFXM76YjFUGTAdBgNVHQ4EFgQUYT525lwHCI4CmuWs8a7poaeKRJ4wDgYD\n" + "VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQBOJzhXVvToqz50b8YoUF2C\n" + "/Qly7hkM+ba9F4DfMEmOlJ/W+gkYiu6G4CBoplXYb1AtanUXMCaoDnydv40ef+UK\n" + "NE1afsMOHRzXVKI+97WoCe407tGTM+WXadLsHeEQ/7Mr03lXGz3N5uGsLYBL0YM6\n" + "QzHEnij2ViJ5aO3256MCkgFAHzvHXtHA5MRAZMzyMxjbtuenHS2TqjivcCyfZkNM\n" + "yoIv9jbJXTXNqZf+o5BqQOri+ZSbJn6PbA7rFjR1dWIIKow0NfYa3+NFbrgvRhZf\n" + "6gFt5mqzLhM2PzYilVMbctatbOPEjoOS6BDww5G8oDreyAi9x2BtVbn4QtUNmGPX"; // OCSP Response Status: successful (0x0) // Response Type: Basic OCSP Response // Version: 1 (0x0) // Responder Id: O = SomeCompany, CN = Root CA Cert // Produced At: Sep 6 21:37:20 2016 GMT // Responses: // Certificate ID: // Hash Algorithm: sha1 // Issuer Name Hash: C8ED9F4E9AC0052A978257C569E6A7C9C45F5CB5 // Issuer Key Hash: 934CB1E8C4C89501F6D896C9C55CCEFA62315419 // Serial Number: 64 // Cert Status: good // This Update: Sep 6 21:37:20 2016 GMT // Next Update: Sep 6 22:37:19 2016 GMT private static final String INT_CA_OCSP_RESP = "MIIFJQoBAKCCBR4wggUaBgkrBgEFBQcwAQEEggULMIIFBzCBrKEvMC0xFDASBgNV\n" + "BAoTC1NvbWVDb21wYW55MRUwEwYDVQQDEwxSb290IENBIENlcnQYDzIwMTYwOTA2\n" + "MjEzNzIwWjBkMGIwOjAJBgUrDgMCGgUABBTI7Z9OmsAFKpeCV8Vp5qfJxF9ctQQU\n" + "k0yx6MTIlQH22JbJxVzO+mIxVBkCAWSAABgPMjAxNjA5MDYyMTM3MjBaoBEYDzIw\n" + "MTYwOTA2MjIzNzE5WqECMAAwDQYJKoZIhvcNAQELBQADggEBAAgs8jpuEejPD8qO\n" + "+xckvqMz/5pItOHaSB0xyPNpIapqjcDkLktJdBVq5XJWernO9DU+P7yr7TDbvo6h\n" + "P5jBZklLz16Z1aRlEyow2jhelVjNl6nxoiij/6LOGK4tLHa8fK7hTB4Ykw22Bxzt\n" + "LcbrU5jgUDhdZkTrs+rWM8nw7mVWIQYQfwzCMDZ5a02MxzhdwggJGRzqMrbhY/Q7\n" + "RRUK3ohSgzHmLjVkvA0KeM/Px7EefzbEbww08fSsLybmBoIEbcckWSHkkXx4cuIR\n" + "T9FiTz4Ms4r8qzPCo61qeklE2I5lfnfieROADV6sfwbul/0U1HqKhHVaxJ8yYw+T\n" + "/FMxrUKgggNAMIIDPDCCAzgwggIgoAMCAQICAQEwDQYJKoZIhvcNAQELBQAwLTEU\n" + "MBIGA1UEChMLU29tZUNvbXBhbnkxFTATBgNVBAMTDFJvb3QgQ0EgQ2VydDAeFw0x\n" + "NjA3MDgyMTM3MThaFw0xOTA2MjgyMTM3MThaMC0xFDASBgNVBAoTC1NvbWVDb21w\n" + "YW55MRUwEwYDVQQDEwxSb290IENBIENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" + "DwAwggEKAoIBAQCJTTN1mBKpFNnpVxGa1fUEg2wysMmixB2nyxXIh/BHaGoN6v+4\n" + "xMxScSOyWfN9bXW1kAZuh4KPvKb3rThVtQXJC/HiI8jjjT9ginxWnjGqM7FotXIM\n" + "Wvq46VP0XpHPswar78uEq/e08E+p0Ii5YIwtZwn0dUlaTudaqAwoUu5+/Oa7ChGc\n" + "cP6fpJFVkmX31O8zfXOuOXD4P/y/5I4snijJGqrhkDmEuvIEIMvGGV0L9RN5f/Hv\n" + "AotbNQ2AOcKQm2gaoE8POEa+M5VBEAYF80JUbfpj83mg6XRtRHhpF63HZGftBDBC\n" + "6DlVzhJ+lTbM+r09yCq570AUpzdOsav4lsAtAgMBAAGjYzBhMA8GA1UdEwEB/wQF\n" + "MAMBAf8wHwYDVR0jBBgwFoAUk0yx6MTIlQH22JbJxVzO+mIxVBkwHQYDVR0OBBYE\n" + "FJNMsejEyJUB9tiWycVczvpiMVQZMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B\n" + "AQsFAAOCAQEAAIvjZbMT/bdiIYmSB0SRkgWbkJVyI8GCMG6t2VnPwKWftKMbZew2\n" + "EIubkTbfP6KXBjQh3CGNHxvd0m5A7m128T2AVug/0VI28+fWa8mj+cpueadTIx0z\n" + "qsvgDPIONcTUyYpHN1FBV153JHhW2sIowrG+73+9aMMyrsYAV4vZ9a5l17Z3CqAP\n" + "y61FV6FJSnn3YA57FLJd0NvXomxNx0qs4jDKADi5tI43pBRliIC3k7ckWEdXdHTW\n" + "lMLB060KT48cVE59cbAD6Vyn8z57GAGXnommhO+RsG1pR86zYp78XWUHdM3LaXwS\n" + "X1ag//pVgDZcPqzmiidhsgmiSDbMmiPyNg=="; // Do path validation as if it is always Tue, 06 Sep 2016 22:12:21 GMT // This value is within the lifetimes of all certificates and both OCSP // responses. private static final Date EVAL_DATE = new Date(1473199941000L); private static final Base64.Decoder DECODER = Base64.getMimeDecoder(); public static void main(String[] args) throws Exception { TrustAnchor anchor; CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509Certificate rootCert = generateCertificate(cf, ROOT_CA_CERT); X509Certificate eeCert = generateCertificate(cf, EE_CERT); X509Certificate intCaCert = generateCertificate(cf, INT_CA_CERT); List certList = new ArrayList() {{ add(eeCert); add(intCaCert); }}; System.out.println("==== Certificate Path ====="); for (X509Certificate c : certList) { System.out.println(c + "\n"); } System.out.println("==========================="); System.out.println("===== Test 1: TA(X509Certificate) ====="); anchor = new TrustAnchor(rootCert, null); runTest(cf, certList, anchor); System.out.println("===== Test 2: TA(X500Principal, PublicKey ====="); anchor = new TrustAnchor(rootCert.getSubjectX500Principal(), rootCert.getPublicKey(), null); runTest(cf, certList, anchor); System.out.println("===== Test 3: TA(String, PublicKey ====="); anchor = new TrustAnchor(rootCert.getSubjectX500Principal().getName(), rootCert.getPublicKey(), null); runTest(cf, certList, anchor); } private static void runTest(CertificateFactory cf, List certList, TrustAnchor anchor) throws Exception { CertPath path = cf.generateCertPath(certList); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); System.out.println(anchor); // Attach the OCSP responses to a PKIXParameters object PKIXRevocationChecker pkrev = (PKIXRevocationChecker)validator.getRevocationChecker(); Map responseMap = new HashMap<>(); responseMap.put(certList.get(0), DECODER.decode(EE_OCSP_RESP)); responseMap.put(certList.get(1), DECODER.decode(INT_CA_OCSP_RESP)); pkrev.setOcspResponses(responseMap); PKIXParameters params = new PKIXParameters(Collections.singleton(anchor)); params.addCertPathChecker(pkrev); params.setDate(EVAL_DATE); validator.validate(path, params); } private static X509Certificate generateCertificate(CertificateFactory cf, String encoded) throws CertificateException { ByteArrayInputStream is = new ByteArrayInputStream(encoded.getBytes()); return (X509Certificate)cf.generateCertificate(is); } }