/* * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @bug 8046321 * @summary OCSP Stapling for TLS (ResponderId tests) * @modules java.base/sun.security.provider.certpath * java.base/sun.security.x509 */ import java.io.*; import java.security.cert.*; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.util.AbstractMap; import java.util.Arrays; import java.util.Map; import java.util.List; import java.util.ArrayList; import javax.security.auth.x500.X500Principal; import sun.security.x509.KeyIdentifier; import sun.security.provider.certpath.ResponderId; /* * NOTE: this test uses Sun private classes which are subject to change. */ public class ResponderIdTests { private static final boolean debug = true; // Source certificate created with the following command: // keytool -genkeypair -alias test1 -keyalg rsa -keysize 2048 \ // -validity 7300 -keystore test1.jks \ // -dname "CN=SelfSignedResponder, OU=Validation Services, O=FakeCompany" private static final String RESP_CERT_1 = "-----BEGIN CERTIFICATE-----\n" + "MIIDQzCCAiugAwIBAgIEXTqCCjANBgkqhkiG9w0BAQsFADBSMRQwEgYDVQQKEwtG\n" + "YWtlQ29tcGFueTEcMBoGA1UECxMTVmFsaWRhdGlvbiBTZXJ2aWNlczEcMBoGA1UE\n" + "AxMTU2VsZlNpZ25lZFJlc3BvbmRlcjAeFw0xNDA4MTcwNDM2MzBaFw0zNDA4MTIw\n" + "NDM2MzBaMFIxFDASBgNVBAoTC0Zha2VDb21wYW55MRwwGgYDVQQLExNWYWxpZGF0\n" + "aW9uIFNlcnZpY2VzMRwwGgYDVQQDExNTZWxmU2lnbmVkUmVzcG9uZGVyMIIBIjAN\n" + "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApt2Cmw2k9tviLxaxE8aWNuoosWKL\n" + "h+K4mNcDGKSoiChsqRqeJEnOxijDZqyFwfkaXvpAduFqYjz+Lij2HumvAjHDTui6\n" + "bGcbsndRDPjvVo1S7f1oWsg7oiA8Lzmjl452S7UNBsDX5Dt1e84Xxwi40B1J2y8D\n" + "FRPfYRWRlC1Z4kzqkBBa7JhANS+W8KDstFZxL4AwWH/byNwB5dl2j04ohg/Ar54e\n" + "mu08PIH3hmi0pAu5wn9ariA7UA5lFWRJzvgGXV5J+QVEFuvKmeJ/Q6tU5OBJGw98\n" + "zjd7F5B0iE+rJHTNF1aGaQfIorz04onV2WjH2VZA18AaMwqlY2br1SBdTQIDAQAB\n" + "oyEwHzAdBgNVHQ4EFgQUG09HasSTYaTIh/CxxV/rcJV1LvowDQYJKoZIhvcNAQEL\n" + "BQADggEBAIcUomNpZxGkocIzzybLyeyC6vLF1k0/unuPAHZLDP3o2JTstPhLHOCg\n" + "FYw1VG2i23pjwKK2x/o80tJAOmW6vowbAPnNmtNIYO3gB/ZGiKeORoGKBCRDNvFa\n" + "6ZrWxwTzT3EpVwRe7ameES0uP8+S4q2P5LhwMIMw7vGHoOQJgkAh/NUiCli1qRnJ\n" + "FYd6cHMJJK5gF2FqQ7tdbA26pS06bkIEvil2M5wyKKWOydOa/pr1LgMf9KxljJ8J\n" + "XlAOO/mGZGkYmWnQaQuBIDyWunWYlhsyCXMa8AScgs0uUeQp19tO7R0f03q/JXoZ\n" + "1At1gZiMS7SdQaRWP5q+FunAeFWjsFE=\n" + "-----END CERTIFICATE-----"; private static final String RESP_CERT_1_SUBJ = "CN=SelfSignedResponder, OU=Validation Services, O=FakeCompany"; private static X509Certificate cert = null; // The expected DER-encoding for a byName ResponderId derived // from RESP_CERT_1 private static final byte[] EXP_NAME_ID_BYTES = { -95, 84, 48, 82, 49, 20, 48, 18, 6, 3, 85, 4, 10, 19, 11, 70, 97, 107, 101, 67, 111, 109, 112, 97, 110, 121, 49, 28, 48, 26, 6, 3, 85, 4, 11, 19, 19, 86, 97, 108, 105, 100, 97, 116, 105, 111, 110, 32, 83, 101, 114, 118, 105, 99, 101, 115, 49, 28, 48, 26, 6, 3, 85, 4, 3, 19, 19, 83, 101, 108, 102, 83, 105, 103, 110, 101, 100, 82, 101, 115, 112, 111, 110, 100, 101, 114 }; // The expected DER-encoding for a byKey ResponderId derived // from RESP_CERT_1 private static final byte[] EXP_KEY_ID_BYTES = { -94, 22, 4, 20, 27, 79, 71, 106, -60, -109, 97, -92, -56, -121, -16, -79, -59, 95, -21, 112, -107, 117, 46, -6 }; // The DER encoding of a byKey ResponderId, but using an // incorrect explicit tagging (CONTEXT CONSTRUCTED 3) private static final byte[] INV_EXPLICIT_TAG_KEY_ID = { -93, 22, 4, 20, 27, 79, 71, 106, -60, -109, 97, -92, -56, -121, -16, -79, -59, 95, -21, 112, -107, 117, 46, -6 }; // These two ResponderId objects will have objects attached to them // after the pos_CtorByName and pos_CtorByKeyId tests run. Those // two tests should always be the first two that run. public static ResponderId respByName; public static ResponderId respByKeyId; public static void main(String[] args) throws Exception { List testList = new ArrayList<>(); testList.add(pos_CtorByName); testList.add(pos_CtorByKeyId); testList.add(pos_CtorByEncoding); testList.add(neg_CtorByEncoding); testList.add(pos_Equality); testList.add(pos_GetEncoded); testList.add(pos_GetRespName); testList.add(pos_GetRespKeyId); // Load the certificate object we can use for subsequent tests CertificateFactory cf = CertificateFactory.getInstance("X.509"); cert = (X509Certificate)cf.generateCertificate( new ByteArrayInputStream(RESP_CERT_1.getBytes())); System.out.println("============ Tests ============"); int testNo = 0; int numberFailed = 0; Map.Entry result; for (TestCase test : testList) { System.out.println("Test " + ++testNo + ": " + test.getName()); result = test.runTest(); System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL")); System.out.println(" " + (result.getValue() != null ? result.getValue() : "")); System.out.println("-------------------------------------------"); if (!result.getKey()) { numberFailed++; } } System.out.println("End Results: " + (testList.size() - numberFailed) + " Passed" + ", " + numberFailed + " Failed."); if (numberFailed > 0) { throw new RuntimeException( "One or more tests failed, see test output for details"); } } private static void dumpHexBytes(byte[] data) { if (data != null) { for (int i = 0; i < data.length; i++) { if (i % 16 == 0 && i != 0) { System.out.print("\n"); } System.out.print(String.format("%02X ", data[i])); } System.out.print("\n"); } } public interface TestCase { String getName(); Map.Entry runTest(); } public static final TestCase pos_CtorByName = new TestCase() { @Override public String getName() { return "CTOR Test (by-name)"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { respByName = new ResponderId(cert.getSubjectX500Principal()); pass = Boolean.TRUE; } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_CtorByKeyId = new TestCase() { @Override public String getName() { return "CTOR Test (by-keyID)"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { respByKeyId = new ResponderId(cert.getPublicKey()); pass = Boolean.TRUE; } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_CtorByEncoding = new TestCase() { @Override public String getName() { return "CTOR Test (encoded bytes)"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { ResponderId ridByNameBytes = new ResponderId(EXP_NAME_ID_BYTES); ResponderId ridByKeyIdBytes = new ResponderId(EXP_KEY_ID_BYTES); if (!ridByNameBytes.equals(respByName)) { throw new RuntimeException( "Equals failed: respNameFromBytes vs. respByName"); } else if (!ridByKeyIdBytes.equals(respByKeyId)) { throw new RuntimeException( "Equals failed: respKeyFromBytes vs. respByKeyId"); } pass = Boolean.TRUE; } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase neg_CtorByEncoding = new TestCase() { @Override public String getName() { return "CTOR Test (by encoding, unknown explicit tag)"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { ResponderId ridByKeyIdBytes = new ResponderId(INV_EXPLICIT_TAG_KEY_ID); throw new RuntimeException("Expected IOException not thrown"); } catch (IOException ioe) { // Make sure it's the IOException we're looking for if (ioe.getMessage().contains("Invalid ResponderId content")) { pass = Boolean.TRUE; } else { ioe.printStackTrace(System.out); message = ioe.getClass().getName(); } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_Equality = new TestCase() { @Override public String getName() { return "Simple Equality Test"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { // byName ResponderId equality test ResponderId compName = new ResponderId(new X500Principal(RESP_CERT_1_SUBJ)); if (!respByName.equals(compName)) { message = "ResponderId mismatch in byName comparison"; } else if (respByKeyId.equals(compName)) { message = "Invalid ResponderId match in byKeyId comparison"; } else { pass = Boolean.TRUE; } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_GetEncoded = new TestCase() { @Override public String getName() { return "Get Encoded Value"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { // Pull out byName and byKey encodings, they should match // the expected values if (!Arrays.equals(respByName.getEncoded(), EXP_NAME_ID_BYTES)) { message = "ResponderId byName encoding did not " + "match expected value"; } else if (!Arrays.equals(respByKeyId.getEncoded(), EXP_KEY_ID_BYTES)) { message = "ResponderId byKeyId encoding did not " + "match expected value"; } else { pass = Boolean.TRUE; } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_GetRespName = new TestCase() { @Override public String getName() { return "Get Underlying Responder Name"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { // Test methods for pulling out the underlying // X500Principal object X500Principal testPrincipal = new X500Principal(RESP_CERT_1_SUBJ); if (!respByName.getResponderName().equals(testPrincipal)) { message = "ResponderId Name did not match expected value"; } else if (respByKeyId.getResponderName() != null) { message = "Non-null responder name returned from " + "ResponderId constructed byKey"; } else { pass = Boolean.TRUE; } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; public static final TestCase pos_GetRespKeyId = new TestCase() { @Override public String getName() { return "Get Underlying Responder Key ID"; } @Override public Map.Entry runTest() { Boolean pass = Boolean.FALSE; String message = null; try { // Test methods for pulling out the underlying // KeyIdentifier object. Note: There is a minute chance that // an RSA public key, once hashed into a key ID might collide // with the one extracted from the certificate used to create // respByKeyId. This is so unlikely to happen it is considered // virtually impossible. KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(2048); KeyPair rsaKey = kpg.generateKeyPair(); KeyIdentifier testKeyId = new KeyIdentifier(rsaKey.getPublic()); if (respByKeyId.getKeyIdentifier().equals(testKeyId)) { message = "Unexpected match in ResponderId Key ID"; } else if (respByName.getKeyIdentifier() != null) { message = "Non-null key ID returned from " + "ResponderId constructed byName"; } else { pass = Boolean.TRUE; } } catch (Exception e) { e.printStackTrace(System.out); message = e.getClass().getName(); } return new AbstractMap.SimpleEntry<>(pass, message); } }; }