Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
16bfd1ed
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
16bfd1ed
编写于
4月 14, 2016
作者:
M
msolovie
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8074931: Additional tests for CertPath API
Reviewed-by: mullan
上级
1df741a3
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
789 addition
and
0 deletion
+789
-0
test/java/security/cert/CertPathEncodingTest.java
test/java/security/cert/CertPathEncodingTest.java
+253
-0
test/java/security/cert/X509CertSelectorTest.java
test/java/security/cert/X509CertSelectorTest.java
+536
-0
未找到文件。
test/java/security/cert/CertPathEncodingTest.java
0 → 100644
浏览文件 @
16bfd1ed
/*
* Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import
java.io.ByteArrayInputStream
;
import
java.security.cert.CertPath
;
import
java.security.cert.Certificate
;
import
java.security.cert.CertificateFactory
;
import
java.util.ArrayList
;
import
java.util.Arrays
;
import
java.util.Base64
;
import
java.util.List
;
/*
* @test
* @bug 8074931
* @summary CertPathEncodingTest tests the ability of the CertPath and
* CertificateFactory to encode and decode CertPaths.
*/
public
final
class
CertPathEncodingTest
{
/*
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 935438132 (0x37c1a734)
Signature Algorithm: dsaWithSHA1
Issuer: C=us, O=sun, OU=east, OU=bcn, CN=yassir
Validity
Not Before: Aug 23 19:55:32 1999 GMT
Not After : Aug 22 19:55:32 2000 GMT
Subject: C=us, O=sun, OU=east, OU=bcn
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
pub:
63:47:4f:f6:29:e5:98:a2:21:fd:da:97:9e:3f:ca:
b0:17:49:8d:8a:a7:06:0d:a6:78:97:39:59:33:72:
a2:a5:74:d5:3a:ef:e6:7c:07:d7:8e:8e:d1:66:73:
99:14:04:96:f5:31:d6:72:ee:d2:53:f8:90:b5:f3:
c3:f1:64:ba:1a:9e:c0:0a:da:92:48:c5:d3:84:7e:
48:09:66:d9:51:ba:74:56:5a:77:8a:8c:9a:9c:f6:
84:12:61:12:51:dc:c6:4f:84:94:ec:cb:78:51:83:
8c:20:8a:53:7b:d2:b6:36:df:50:35:95:1f:cb:50:
55:8b:3f:fb:e2:77:cb
P:
00:fd:7f:53:81:1d:75:12:29:52:df:4a:9c:2e:ec:
e4:e7:f6:11:b7:52:3c:ef:44:00:c3:1e:3f:80:b6:
51:26:69:45:5d:40:22:51:fb:59:3d:8d:58:fa:bf:
c5:f5:ba:30:f6:cb:9b:55:6c:d7:81:3b:80:1d:34:
6f:f2:66:60:b7:6b:99:50:a5:a4:9f:9f:e8:04:7b:
10:22:c2:4f:bb:a9:d7:fe:b7:c6:1b:f8:3b:57:e7:
c6:a8:a6:15:0f:04:fb:83:f6:d3:c5:1e:c3:02:35:
54:13:5a:16:91:32:f6:75:f3:ae:2b:61:d7:2a:ef:
f2:22:03:19:9d:d1:48:01:c7
Q:
00:97:60:50:8f:15:23:0b:cc:b2:92:b9:82:a2:eb:
84:0b:f0:58:1c:f5
G:
00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:5c:36:b8:
57:b9:79:94:af:bb:fa:3a:ea:82:f9:57:4c:0b:3d:
07:82:67:51:59:57:8e:ba:d4:59:4f:e6:71:07:10:
81:80:b4:49:16:71:23:e8:4c:28:16:13:b7:cf:09:
32:8c:c8:a6:e1:3c:16:7a:8b:54:7c:8d:28:e0:a3:
ae:1e:2b:b3:a6:75:91:6e:a3:7f:0b:fa:21:35:62:
f1:fb:62:7a:01:24:3b:cc:a4:f1:be:a8:51:90:89:
a8:83:df:e1:5a:e5:9f:06:92:8b:66:5e:80:7b:55:
25:64:01:4c:3b:fe:cf:49:2a
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
Signature Algorithm: dsaWithSHA1
r:
52:80:52:2b:2c:3d:02:66:58:b4:dc:ef:52:26:70:
1b:53:ca:b3:7d
s:
62:03:b2:ab:3e:18:2a:66:09:b6:ce:d4:05:a5:8e:
a5:7a:0d:55:67
*/
private
static
final
String
cert1
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICzTCCAougAwIBAgIEN8GnNDALBgcqhkjOOAQDBQAwSTELMAkGA1UEBhMCdXMx\n"
+
"DDAKBgNVBAoTA3N1bjENMAsGA1UECxMEZWFzdDEMMAoGA1UECxMDYmNuMQ8wDQYD\n"
+
"VQQDEwZ5YXNzaXIwHhcNOTkwODIzMTk1NTMyWhcNMDAwODIyMTk1NTMyWjA4MQsw\n"
+
"CQYDVQQGEwJ1czEMMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRlYXN0MQwwCgYDVQQL\n"
+
"EwNiY24wggG1MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YR\n"
+
"t1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZ\n"
+
"UKWkn5/oBHsQIsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOu\n"
+
"K2HXKu/yIgMZndFIAccCFQCXYFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps9\n"
+
"3su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV4661FlP5nEHEIGAtEkWcSPoTCgW\n"
+
"E7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoBJDvMpPG+qFGQ\n"
+
"iaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBggACf2NHT/Yp5ZiiIf3al54/yrAX\n"
+
"SY2KpwYNpniXOVkzcqKldNU67+Z8B9eOjtFmc5kUBJb1MdZy7tJT+JC188PxZLoa\n"
+
"nsAK2pJIxdOEfkgJZtlRunRWWneKjJqc9oQSYRJR3MZPhJTsy3hRg4wgilN70rY2\n"
+
"31A1lR/LUFWLP/vid8ujEzARMA8GA1UdDwEB/wQFAwMHpAAwCwYHKoZIzjgEAwUA\n"
+
"Ay8AMCwCFFKAUissPQJmWLTc71ImcBtTyrN9AhRiA7KrPhgqZgm2ztQFpY6leg1V\n"
+
"Zw==\n"
+
"-----END CERTIFICATE-----\n"
+
""
;
/*
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 935095671 (0x37bc6d77)
Signature Algorithm: dsaWithSHA1
Issuer: C=us, O=sun, OU=east, OU=bcn, CN=yassir
Validity
Not Before: Aug 19 20:47:51 1999 GMT
Not After : Aug 18 20:47:51 2000 GMT
Subject: C=us, O=sun, OU=east, OU=bcn, CN=yassir
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
pub:
0a:cc:a4:ec:d6:88:45:c2:24:6b:0d:78:f1:82:f3:
5e:3e:31:5d:fb:64:d5:06:5e:39:16:f1:0a:85:d1:
ff:d1:a4:74:c5:e6:b0:ba:93:1c:ee:69:51:be:3b:
a6:66:44:50:b4:f0:5e:0e:dd:9f:08:71:fe:a1:91:
2e:d4:9e:6b:b2:c0:82:3c:91:6c:18:b0:d9:bc:a3:
48:91:3f:8b:59:01:61:00:02:ab:22:31:bc:7c:6c:
0d:9f:ed:be:33:e6:5c:44:9e:62:30:95:f8:6d:22:
d7:e5:85:4c:b0:98:6e:ad:cc:ca:3b:ad:cb:fa:f7:
9f:37:13:f7:ca:e2:22:ba
P:
00:fd:7f:53:81:1d:75:12:29:52:df:4a:9c:2e:ec:
e4:e7:f6:11:b7:52:3c:ef:44:00:c3:1e:3f:80:b6:
51:26:69:45:5d:40:22:51:fb:59:3d:8d:58:fa:bf:
c5:f5:ba:30:f6:cb:9b:55:6c:d7:81:3b:80:1d:34:
6f:f2:66:60:b7:6b:99:50:a5:a4:9f:9f:e8:04:7b:
10:22:c2:4f:bb:a9:d7:fe:b7:c6:1b:f8:3b:57:e7:
c6:a8:a6:15:0f:04:fb:83:f6:d3:c5:1e:c3:02:35:
54:13:5a:16:91:32:f6:75:f3:ae:2b:61:d7:2a:ef:
f2:22:03:19:9d:d1:48:01:c7
Q:
00:97:60:50:8f:15:23:0b:cc:b2:92:b9:82:a2:eb:
84:0b:f0:58:1c:f5
G:
00:f7:e1:a0:85:d6:9b:3d:de:cb:bc:ab:5c:36:b8:
57:b9:79:94:af:bb:fa:3a:ea:82:f9:57:4c:0b:3d:
07:82:67:51:59:57:8e:ba:d4:59:4f:e6:71:07:10:
81:80:b4:49:16:71:23:e8:4c:28:16:13:b7:cf:09:
32:8c:c8:a6:e1:3c:16:7a:8b:54:7c:8d:28:e0:a3:
ae:1e:2b:b3:a6:75:91:6e:a3:7f:0b:fa:21:35:62:
f1:fb:62:7a:01:24:3b:cc:a4:f1:be:a8:51:90:89:
a8:83:df:e1:5a:e5:9f:06:92:8b:66:5e:80:7b:55:
25:64:01:4c:3b:fe:cf:49:2a
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:5
Signature Algorithm: dsaWithSHA1
r:
2f:88:46:37:94:92:b2:02:07:5b:8d:76:e5:81:23:
85:7f:bc:8d:b9
s:
00:8b:d7:41:fa:11:c7:ab:27:92:5d:0a:03:98:56:
36:42:5f:f5:1f:9d
*/
private
static
final
String
cert2
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIIC9TCCArKgAwIBAgIEN7xtdzALBgcqhkjOOAQDBQAwSTELMAkGA1UEBhMCdXMx\n"
+
"DDAKBgNVBAoTA3N1bjENMAsGA1UECxMEZWFzdDEMMAoGA1UECxMDYmNuMQ8wDQYD\n"
+
"VQQDEwZ5YXNzaXIwHhcNOTkwODE5MjA0NzUxWhcNMDAwODE4MjA0NzUxWjBJMQsw\n"
+
"CQYDVQQGEwJ1czEMMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRlYXN0MQwwCgYDVQQL\n"
+
"EwNiY24xDzANBgNVBAMTBnlhc3NpcjCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9\n"
+
"f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2\n"
+
"y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD\n"
+
"9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLr\n"
+
"hAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrU\n"
+
"WU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6\n"
+
"ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GEAAKB\n"
+
"gArMpOzWiEXCJGsNePGC814+MV37ZNUGXjkW8QqF0f/RpHTF5rC6kxzuaVG+O6Zm\n"
+
"RFC08F4O3Z8Icf6hkS7UnmuywII8kWwYsNm8o0iRP4tZAWEAAqsiMbx8bA2f7b4z\n"
+
"5lxEnmIwlfhtItflhUywmG6tzMo7rcv69583E/fK4iK6oycwJTAPBgNVHQ8BAf8E\n"
+
"BQMDB6QAMBIGA1UdEwEB/wQIMAYBAf8CAQUwCwYHKoZIzjgEAwUAAzAAMC0CFC+I\n"
+
"RjeUkrICB1uNduWBI4V/vI25AhUAi9dB+hHHqyeSXQoDmFY2Ql/1H50=\n"
+
"-----END CERTIFICATE-----\n"
+
""
;
private
static
final
String
pkcs7path
=
"MIIF9QYJKoZIhvcNAQcCoIIF5jCCBeICAQExADALBgkqhkiG9w0BBwGgggXKMIICzTCCAougAwIB\n"
+
"AgIEN8GnNDALBgcqhkjOOAQDBQAwSTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UE\n"
+
"CxMEZWFzdDEMMAoGA1UECxMDYmNuMQ8wDQYDVQQDEwZ5YXNzaXIwHhcNOTkwODIzMTk1NTMyWhcN\n"
+
"MDAwODIyMTk1NTMyWjA4MQswCQYDVQQGEwJ1czEMMAoGA1UEChMDc3VuMQ0wCwYDVQQLEwRlYXN0\n"
+
"MQwwCgYDVQQLEwNiY24wggG1MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YR\n"
+
"t1I870QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQ\n"
+
"IsJPu6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCX\n"
+
"YFCPFSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZ\n"
+
"V4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7\n"
+
"YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBggACf2NHT/Yp5ZiiIf3al54/\n"
+
"yrAXSY2KpwYNpniXOVkzcqKldNU67+Z8B9eOjtFmc5kUBJb1MdZy7tJT+JC188PxZLoansAK2pJI\n"
+
"xdOEfkgJZtlRunRWWneKjJqc9oQSYRJR3MZPhJTsy3hRg4wgilN70rY231A1lR/LUFWLP/vid8uj\n"
+
"EzARMA8GA1UdDwEB/wQFAwMHpAAwCwYHKoZIzjgEAwUAAy8AMCwCFFKAUissPQJmWLTc71ImcBtT\n"
+
"yrN9AhRiA7KrPhgqZgm2ztQFpY6leg1VZzCCAvUwggKyoAMCAQICBDe8bXcwCwYHKoZIzjgEAwUA\n"
+
"MEkxCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNzdW4xDTALBgNVBAsTBGVhc3QxDDAKBgNVBAsTA2Jj\n"
+
"bjEPMA0GA1UEAxMGeWFzc2lyMB4XDTk5MDgxOTIwNDc1MVoXDTAwMDgxODIwNDc1MVowSTELMAkG\n"
+
"A1UEBhMCdXMxDDAKBgNVBAoTA3N1bjENMAsGA1UECxMEZWFzdDEMMAoGA1UECxMDYmNuMQ8wDQYD\n"
+
"VQQDEwZ5YXNzaXIwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I8\n"
+
"70QAwx4/gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJP\n"
+
"u6nX/rfGG/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFQCXYFCP\n"
+
"FSMLzLKSuYKi64QL8Fgc9QKBgQD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeCZ1FZV466\n"
+
"1FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1YvH7YnoB\n"
+
"JDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAACgYAKzKTs1ohFwiRrDXjxgvNe\n"
+
"PjFd+2TVBl45FvEKhdH/0aR0xeawupMc7mlRvjumZkRQtPBeDt2fCHH+oZEu1J5rssCCPJFsGLDZ\n"
+
"vKNIkT+LWQFhAAKrIjG8fGwNn+2+M+ZcRJ5iMJX4bSLX5YVMsJhurczKO63L+vefNxP3yuIiuqMn\n"
+
"MCUwDwYDVR0PAQH/BAUDAwekADASBgNVHRMBAf8ECDAGAQH/AgEFMAsGByqGSM44BAMFAAMwADAt\n"
+
"AhQviEY3lJKyAgdbjXblgSOFf7yNuQIVAIvXQfoRx6snkl0KA5hWNkJf9R+dMQA=\n"
+
""
;
// Runs test of CertPath encoding and decoding.
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// Make the CertPath whose encoded form has already been stored
CertificateFactory
certFac
=
CertificateFactory
.
getInstance
(
"X509"
);
final
List
<
Certificate
>
certs
=
new
ArrayList
<>();
certs
.
add
(
certFac
.
generateCertificate
(
new
ByteArrayInputStream
(
cert1
.
getBytes
())));
certs
.
add
(
certFac
.
generateCertificate
(
new
ByteArrayInputStream
(
cert2
.
getBytes
())));
CertPath
cp
=
certFac
.
generateCertPath
(
certs
);
// Get the encoded form of the CertPath we made
byte
[]
encoded
=
cp
.
getEncoded
(
"PKCS7"
);
// check if it matches the encoded value
if
(!
Arrays
.
equals
(
encoded
,
Base64
.
getMimeDecoder
().
decode
(
pkcs7path
.
getBytes
())))
{
throw
new
RuntimeException
(
"PKCS#7 encoding doesn't match stored value"
);
}
// Generate a CertPath from the encoded value and check if it equals
// the CertPath generated from the certificates
CertPath
decodedCP
=
certFac
.
generateCertPath
(
new
ByteArrayInputStream
(
encoded
),
"PKCS7"
);
if
(!
decodedCP
.
equals
(
cp
))
{
throw
new
RuntimeException
(
"CertPath decoded from PKCS#7 isn't equal to original"
);
}
}
}
test/java/security/cert/X509CertSelectorTest.java
0 → 100644
浏览文件 @
16bfd1ed
/*
* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
import
static
sun
.
security
.
x509
.
GeneralNameInterface
.
NAME_DIRECTORY
;
import
static
sun
.
security
.
x509
.
NameConstraintsExtension
.
EXCLUDED_SUBTREES
;
import
static
sun
.
security
.
x509
.
NameConstraintsExtension
.
PERMITTED_SUBTREES
;
import
java.io.ByteArrayInputStream
;
import
java.io.ByteArrayOutputStream
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
java.math.BigInteger
;
import
java.security.GeneralSecurityException
;
import
java.security.KeyFactory
;
import
java.security.PublicKey
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.X509CertSelector
;
import
java.security.cert.X509Certificate
;
import
java.security.spec.X509EncodedKeySpec
;
import
java.util.Base64
;
import
java.util.Calendar
;
import
java.util.Date
;
import
java.util.HashSet
;
import
java.util.Iterator
;
import
java.util.List
;
import
java.util.Set
;
import
sun.security.util.DerInputStream
;
import
sun.security.util.DerOutputStream
;
import
sun.security.util.DerValue
;
import
sun.security.util.ObjectIdentifier
;
import
sun.security.x509.AlgorithmId
;
import
sun.security.x509.AuthorityKeyIdentifierExtension
;
import
sun.security.x509.CertificatePoliciesExtension
;
import
sun.security.x509.DNSName
;
import
sun.security.x509.GeneralName
;
import
sun.security.x509.GeneralNameInterface
;
import
sun.security.x509.GeneralNames
;
import
sun.security.x509.GeneralSubtree
;
import
sun.security.x509.GeneralSubtrees
;
import
sun.security.x509.KeyIdentifier
;
import
sun.security.x509.NameConstraintsExtension
;
import
sun.security.x509.PolicyInformation
;
import
sun.security.x509.PrivateKeyUsageExtension
;
import
sun.security.x509.SubjectAlternativeNameExtension
;
import
sun.security.x509.X500Name
;
/*
* @test
* @bug 8074931
* @summary This class tests the X509CertSelector. The tests check particular criteria
* by setting them to a value that should match our test certificate and
* ensuring that they do match, then setting them to a value that should not
* match our test certificate and ensuring that they do not match.
*/
public
class
X509CertSelectorTest
{
/*
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 954172088 (0x38df82b8)
Signature Algorithm: dsaWithSHA1
Issuer: C=us, O=sun, OU=testing
Validity
Not Before: Mar 27 15:48:08 2000 GMT
Not After : Jun 25 14:48:08 2000 GMT
Subject: C=us, O=sun, OU=testing, CN=mullan
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
pub: 0
P: 0
Q: 0
G: 0
X509v3 extensions:
X509v3 Name Constraints: critical
0D.B0@.>1.0...U....us1.0
..U.
..sun1.0...U....testing1.0
..U....mullan
X509v3 Subject Key Identifier:
56:E8:88:AE:9D:B5:3F:2B:CB:A0:4C:4B:E2:87:53:07:33:77:1B:DF
X509v3 Authority Key Identifier:
keyid:8E:DD:AF:6F:EE:02:12:F4:61:E9:2F:E3:64:1A:6F:71:32:25:20:C0
X509v3 Subject Alternative Name:
email:mullan@east.sun.com
X509v3 Private Key Usage Period:
Not Before: Jan 1 05:00:00 2000 GMT, Not After: Jan 1 05:00:00 2001 GMT
X509v3 Key Usage: critical
Digital Signature
X509v3 Certificate Policies:
0$0\..*...0.0...+.......0..
Testing...
Signature Algorithm: dsaWithSHA1
r:
44:c7:35:40:5d:6c:28:75:7f:73:b2:f8:0d:72:6c:
09:65:b8:81:14
s:
76:79:f5:c7:37:3b:0d:9b:db:70:2f:20:80:36:e3:
80:e8:a6:c6:71
*/
private
static
final
String
testCert
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICLjCCAeygAwIBAgIEON+CuDALBgcqhkjOOAQDBQAwLTELMAkGA1UEBhMCdXMx\n"
+
"DDAKBgNVBAoTA3N1bjEQMA4GA1UECxMHdGVzdGluZzAeFw0wMDAzMjcxNTQ4MDha\n"
+
"Fw0wMDA2MjUxNDQ4MDhaMD4xCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNzdW4xEDAO\n"
+
"BgNVBAsTB3Rlc3RpbmcxDzANBgNVBAMTBm11bGxhbjAcMBQGByqGSM44BAEwCQIB\n"
+
"AAIBAAIBAAMEAAIBAKOCASMwggEfMFAGA1UdHgEB/wRGMESgQjBApD4xCzAJBgNV\n"
+
"BAYTAnVzMQwwCgYDVQQKEwNzdW4xEDAOBgNVBAsTB3Rlc3RpbmcxDzANBgNVBAMT\n"
+
"Bm11bGxhbjAdBgNVHQ4EFgQUVuiIrp21PyvLoExL4odTBzN3G98wHwYDVR0jBBgw\n"
+
"FoAUjt2vb+4CEvRh6S/jZBpvcTIlIMAwHgYDVR0RBBcwFYETbXVsbGFuQGVhc3Qu\n"
+
"c3VuLmNvbTArBgNVHRAEJDAigA8yMDAwMDEwMTA1MDAwMFqBDzIwMDEwMTAxMDUw\n"
+
"MDAwWjAPBgNVHQ8BAf8EBQMDB4AAMC0GA1UdIAQmMCQwIgYEKoSAADAaMBgGCCsG\n"
+
"AQUFBwICMAwSClRlc3RpbmcuLi4wCwYHKoZIzjgEAwUAAy8AMCwCFETHNUBdbCh1\n"
+
"f3Oy+A1ybAlluIEUAhR2efXHNzsNm9twLyCANuOA6KbGcQ==\n"
+
"-----END CERTIFICATE-----\n"
+
""
;
private
static
final
String
testKey
=
"MIIBtjCCASsGByqGSM44BAEwggEeAoGBAIVWPEkcxbxhQRCqVzg55tNqbP5j0K4kdu4bkmXvfqC5\n"
+
"+qA75DvnfzsOJseb+9AuKXWk/DvCzFDmrY1YaU3scZC3OQEO9lEO3F4VDKOaudY6OT1SI22pAIwz\n"
+
"j5pvq+i7zOp4xUqkQUeh/4iQSfxOT5UrFGjkcbnbpVkCXD/GxAz7AhUAjtnm3dVIddUUHl6wxpZ7\n"
+
"GcA6gSsCgYAf/PXzQtemgIDjpFrNNSgTEKkLposBXKatAM+gUKlMUjf8SQvquqPxDtRrscGjXkoL\n"
+
"oTkaR7/akULYFpBvUcFkeIFiCnJg8M9XhCWdLvn9MPt+jR2oxookvCb9xLtD6WvIM/wd/nZ1iK4u\n"
+
"iY1+q85xvns/Awbtwl7oZDAwE2TUKAOBhAACgYBDc9UZ+3xsZubUZvRG5cpyJceYpJp2exOPVJXn\n"
+
"jR4CcR+cT9bAJpFSxqE/8KtNHXxHdu4f3DU67IMOVDpugzihyzXJvNm3w2H9x+6xczHG2wjvAJeh\n"
+
"X62EWbUatxPXFAoVKZWuUbaYaZzdWBDtNRrCuKKsLo0GFy8g2BZISuD3jw==\n"
+
""
;
// Certificate to run tests on
private
final
X509Certificate
cert
;
public
static
void
main
(
String
[]
args
)
throws
Exception
{
X509CertSelectorTest
test
=
new
X509CertSelectorTest
();
test
.
doTest
();
}
public
X509CertSelectorTest
()
throws
CertificateException
,
IOException
{
cert
=
(
X509Certificate
)
CertificateFactory
.
getInstance
(
"X.509"
)
.
generateCertificate
(
new
ByteArrayInputStream
(
testCert
.
getBytes
()));
}
// Runs the test.
private
void
doTest
()
throws
Exception
{
System
.
out
.
println
(
"START OF TESTS FOR "
+
"X509CertSelector"
);
testSerialNumber
();
testIssuer
();
testSubjectKeyIdentifier
();
testAuthorityKeyIdentifier
();
testCertificateValid
();
testPrivateKeyValid
();
testSubjectPublicKeyAlgID
();
testKeyUsage
();
testSubjectAltName
();
testPolicy
();
testPathToName
();
testSubject
();
testSubjectPublicKey
();
testNameConstraints
();
testBasicConstraints
();
testCertificate
();
}
// Tests matching on the serial number contained in the certificate.
private
void
testSerialNumber
()
{
System
.
out
.
println
(
"X.509 Certificate Match on serialNumber"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
selector
.
setSerialNumber
(
new
BigInteger
(
"999999999"
));
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setSerialNumber
(
cert
.
getSerialNumber
());
checkMatch
(
selector
,
cert
,
true
);
}
// Tests matching on the issuer name contained in the certificate.
private
void
testIssuer
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on issuer"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
selector
.
setIssuer
(
"ou=bogus,ou=east,o=sun,c=us"
);
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setIssuer
((
cert
.
getIssuerX500Principal
()).
getName
(
"RFC2253"
));
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the subject key identifier contained in the
* certificate.
*/
private
void
testSubjectKeyIdentifier
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on subjectKeyIdentifier"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
byte
[]
b
=
{
0
,
1
,
2
,
3
,
4
,
5
,
6
,
7
,
8
,
9
};
selector
.
setSubjectKeyIdentifier
(
b
);
checkMatch
(
selector
,
cert
,
false
);
// good match
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.14"
));
byte
[]
encoded
=
in
.
getOctetString
();
selector
.
setSubjectKeyIdentifier
(
encoded
);
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the authority key identifier contained in the
* certificate.
*/
private
void
testAuthorityKeyIdentifier
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on authorityKeyIdentifier"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
byte
[]
b
=
{
0
,
1
,
2
,
3
,
4
,
5
,
6
,
7
,
8
,
9
};
AuthorityKeyIdentifierExtension
a
=
new
AuthorityKeyIdentifierExtension
(
new
KeyIdentifier
(
b
),
null
,
null
);
selector
.
setAuthorityKeyIdentifier
(
a
.
getExtensionValue
());
checkMatch
(
selector
,
cert
,
false
);
// good match
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.35"
));
byte
[]
encoded
=
in
.
getOctetString
();
selector
.
setAuthorityKeyIdentifier
(
encoded
);
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the certificate validity component contained in the
* certificate.
*/
private
void
testCertificateValid
()
{
System
.
out
.
println
(
"X.509 Certificate Match on certificateValid"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
Calendar
cal
=
Calendar
.
getInstance
();
cal
.
set
(
1968
,
12
,
31
);
selector
.
setCertificateValid
(
cal
.
getTime
());
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setCertificateValid
(
cert
.
getNotBefore
());
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the private key validity component contained in the
* certificate.
*/
private
void
testPrivateKeyValid
()
throws
IOException
,
CertificateException
{
System
.
out
.
println
(
"X.509 Certificate Match on privateKeyValid"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
Calendar
cal
=
Calendar
.
getInstance
();
cal
.
set
(
1968
,
12
,
31
);
selector
.
setPrivateKeyValid
(
cal
.
getTime
());
checkMatch
(
selector
,
cert
,
false
);
// good match
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.16"
));
byte
[]
encoded
=
in
.
getOctetString
();
PrivateKeyUsageExtension
ext
=
new
PrivateKeyUsageExtension
(
false
,
encoded
);
Date
validDate
=
(
Date
)
ext
.
get
(
PrivateKeyUsageExtension
.
NOT_BEFORE
);
selector
.
setPrivateKeyValid
(
validDate
);
checkMatch
(
selector
,
cert
,
true
);
}
private
ObjectIdentifier
getCertPubKeyAlgOID
(
X509Certificate
xcert
)
throws
IOException
{
byte
[]
encodedKey
=
xcert
.
getPublicKey
().
getEncoded
();
DerValue
val
=
new
DerValue
(
encodedKey
);
if
(
val
.
tag
!=
DerValue
.
tag_Sequence
)
{
throw
new
RuntimeException
(
"invalid key format"
);
}
return
AlgorithmId
.
parse
(
val
.
data
.
getDerValue
()).
getOID
();
}
/*
* Tests matching on the subject public key algorithm ID component contained
* in the certificate.
*/
private
void
testSubjectPublicKeyAlgID
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on subjectPublicKeyAlgID"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
selector
.
setSubjectPublicKeyAlgID
(
"2.5.29.14"
);
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setSubjectPublicKeyAlgID
(
getCertPubKeyAlgOID
(
cert
).
toString
());
checkMatch
(
selector
,
cert
,
true
);
}
// Tests matching on the key usage extension contained in the certificate.
private
void
testKeyUsage
()
{
System
.
out
.
println
(
"X.509 Certificate Match on keyUsage"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
boolean
[]
keyUsage
=
{
true
,
false
,
true
,
false
,
true
,
false
,
true
,
false
};
selector
.
setKeyUsage
(
keyUsage
);
System
.
out
.
println
(
"Selector = "
+
selector
.
toString
());
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setKeyUsage
(
cert
.
getKeyUsage
());
System
.
out
.
println
(
"Selector = "
+
selector
.
toString
());
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the subject alternative name extension contained in the
* certificate.
*/
private
void
testSubjectAltName
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on subjectAltName"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
GeneralNameInterface
dnsName
=
new
DNSName
(
"foo.com"
);
DerOutputStream
tmp
=
new
DerOutputStream
();
dnsName
.
encode
(
tmp
);
selector
.
addSubjectAlternativeName
(
2
,
tmp
.
toByteArray
());
checkMatch
(
selector
,
cert
,
false
);
// good match
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.17"
));
byte
[]
encoded
=
in
.
getOctetString
();
SubjectAlternativeNameExtension
ext
=
new
SubjectAlternativeNameExtension
(
false
,
encoded
);
GeneralNames
names
=
(
GeneralNames
)
ext
.
get
(
SubjectAlternativeNameExtension
.
SUBJECT_NAME
);
GeneralName
name
=
(
GeneralName
)
names
.
get
(
0
);
selector
.
setSubjectAlternativeNames
(
null
);
DerOutputStream
tmp2
=
new
DerOutputStream
();
name
.
getName
().
encode
(
tmp2
);
selector
.
addSubjectAlternativeName
(
name
.
getType
(),
tmp2
.
toByteArray
());
checkMatch
(
selector
,
cert
,
true
);
// good match 2 (matches at least one)
selector
.
setMatchAllSubjectAltNames
(
false
);
selector
.
addSubjectAlternativeName
(
2
,
"foo.com"
);
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the policy constraints extension contained in the
* certificate.
*/
private
void
testPolicy
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on certificatePolicies"
);
// test encoding of CertificatePoliciesExtension because we wrote the
// code
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
Set
<
String
>
s
=
new
HashSet
<>();
s
.
add
(
new
String
(
"1.2.5.7.68"
));
selector
.
setPolicy
(
s
);
checkMatch
(
selector
,
cert
,
false
);
// good match
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.32"
));
CertificatePoliciesExtension
ext
=
new
CertificatePoliciesExtension
(
false
,
in
.
getOctetString
());
List
<
PolicyInformation
>
policies
=
ext
.
get
(
CertificatePoliciesExtension
.
POLICIES
);
// match on the first policy id
PolicyInformation
policyInfo
=
(
PolicyInformation
)
policies
.
get
(
0
);
s
.
clear
();
s
.
add
(
policyInfo
.
getPolicyIdentifier
().
getIdentifier
().
toString
());
selector
.
setPolicy
(
s
);
checkMatch
(
selector
,
cert
,
true
);
}
/*
* Tests matching on the name constraints extension contained in the
* certificate.
*/
private
void
testPathToName
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on pathToName"
);
X509CertSelector
selector
=
null
;
DerInputStream
in
=
new
DerInputStream
(
cert
.
getExtensionValue
(
"2.5.29.30"
));
byte
[]
encoded
=
in
.
getOctetString
();
NameConstraintsExtension
ext
=
new
NameConstraintsExtension
(
false
,
encoded
);
GeneralSubtrees
permitted
=
(
GeneralSubtrees
)
ext
.
get
(
PERMITTED_SUBTREES
);
GeneralSubtrees
excluded
=
(
GeneralSubtrees
)
ext
.
get
(
EXCLUDED_SUBTREES
);
// bad matches on pathToName within excluded subtrees
if
(
excluded
!=
null
)
{
Iterator
<
GeneralSubtree
>
e
=
excluded
.
iterator
();
while
(
e
.
hasNext
())
{
GeneralSubtree
tree
=
e
.
next
();
if
(
tree
.
getName
().
getType
()
==
NAME_DIRECTORY
)
{
X500Name
excludedDN1
=
new
X500Name
(
tree
.
getName
().
toString
());
X500Name
excludedDN2
=
new
X500Name
(
"CN=Bogus, "
+
tree
.
getName
().
toString
());
DerOutputStream
derDN1
=
new
DerOutputStream
();
DerOutputStream
derDN2
=
new
DerOutputStream
();
excludedDN1
.
encode
(
derDN1
);
excludedDN2
.
encode
(
derDN2
);
selector
=
new
X509CertSelector
();
selector
.
addPathToName
(
NAME_DIRECTORY
,
derDN1
.
toByteArray
());
checkMatch
(
selector
,
cert
,
false
);
selector
.
setPathToNames
(
null
);
selector
.
addPathToName
(
NAME_DIRECTORY
,
derDN2
.
toByteArray
());
checkMatch
(
selector
,
cert
,
false
);
}
}
}
// good matches on pathToName within permitted subtrees
if
(
permitted
!=
null
)
{
Iterator
<
GeneralSubtree
>
e
=
permitted
.
iterator
();
while
(
e
.
hasNext
())
{
GeneralSubtree
tree
=
e
.
next
();
if
(
tree
.
getName
().
getType
()
==
NAME_DIRECTORY
)
{
X500Name
permittedDN1
=
new
X500Name
(
tree
.
getName
().
toString
());
X500Name
permittedDN2
=
new
X500Name
(
"CN=good, "
+
tree
.
getName
().
toString
());
DerOutputStream
derDN1
=
new
DerOutputStream
();
DerOutputStream
derDN2
=
new
DerOutputStream
();
permittedDN1
.
encode
(
derDN1
);
permittedDN2
.
encode
(
derDN2
);
selector
=
new
X509CertSelector
();
selector
.
addPathToName
(
NAME_DIRECTORY
,
derDN1
.
toByteArray
());
checkMatch
(
selector
,
cert
,
true
);
selector
.
setPathToNames
(
null
);
selector
.
addPathToName
(
NAME_DIRECTORY
,
derDN2
.
toByteArray
());
checkMatch
(
selector
,
cert
,
true
);
}
}
}
}
// Tests matching on the subject name contained in the certificate.
private
void
testSubject
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on subject"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
selector
.
setSubject
(
"ou=bogus,ou=east,o=sun,c=us"
);
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setSubject
(
cert
.
getSubjectX500Principal
().
getName
(
"RFC2253"
));
checkMatch
(
selector
,
cert
,
true
);
}
// Tests matching on the subject public key contained in the certificate.
private
void
testSubjectPublicKey
()
throws
IOException
,
GeneralSecurityException
{
System
.
out
.
println
(
"X.509 Certificate Match on subject public key"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
X509EncodedKeySpec
keySpec
=
new
X509EncodedKeySpec
(
Base64
.
getMimeDecoder
().
decode
(
testKey
.
getBytes
()));
KeyFactory
keyFactory
=
KeyFactory
.
getInstance
(
"DSA"
);
PublicKey
pubKey
=
keyFactory
.
generatePublic
(
keySpec
);
selector
.
setSubjectPublicKey
(
pubKey
);
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setSubjectPublicKey
(
cert
.
getPublicKey
());
checkMatch
(
selector
,
cert
,
true
);
}
// Tests matching on the name constraints contained in the certificate.
private
void
testNameConstraints
()
throws
IOException
{
System
.
out
.
println
(
"X.509 Certificate Match on name constraints"
);
// bad match
GeneralSubtrees
subjectTree
=
new
GeneralSubtrees
();
subjectTree
.
add
(
getGeneralSubtree
((
X500Name
)
cert
.
getSubjectDN
()));
NameConstraintsExtension
ext
=
new
NameConstraintsExtension
((
GeneralSubtrees
)
null
,
subjectTree
);
X509CertSelector
selector
=
new
X509CertSelector
();
selector
.
setNameConstraints
(
ext
.
getExtensionValue
());
checkMatch
(
selector
,
cert
,
false
);
// good match
ext
=
new
NameConstraintsExtension
(
subjectTree
,
null
);
selector
.
setNameConstraints
(
ext
.
getExtensionValue
());
checkMatch
(
selector
,
cert
,
true
);
}
// Tests matching on basic constraints.
private
void
testBasicConstraints
()
{
System
.
out
.
println
(
"X.509 Certificate Match on basic constraints"
);
// bad match
X509CertSelector
selector
=
new
X509CertSelector
();
int
mpl
=
cert
.
getBasicConstraints
();
selector
.
setBasicConstraints
(
0
);
checkMatch
(
selector
,
cert
,
false
);
// good match
selector
.
setBasicConstraints
(
mpl
);
checkMatch
(
selector
,
cert
,
true
);
}
// Tests certificateEquals criterion
private
void
testCertificate
()
{
System
.
out
.
println
(
"X.509 Certificate Match on certificateEquals criterion"
);
X509CertSelector
selector
=
new
X509CertSelector
();
// good match
selector
.
setCertificate
(
cert
);
checkMatch
(
selector
,
cert
,
true
);
}
private
void
checkMatch
(
X509CertSelector
selector
,
X509Certificate
cert
,
boolean
match
)
{
boolean
result
=
selector
.
match
(
cert
);
if
(
match
!=
result
)
throw
new
RuntimeException
(
selector
+
" match "
+
cert
+
" is "
+
result
+
", but expect "
+
match
);
}
private
static
GeneralSubtree
getGeneralSubtree
(
GeneralNameInterface
gni
)
{
// Create a new GeneralSubtree with the specified name, 0 base, and
// unlimited length
GeneralName
gn
=
new
GeneralName
(
gni
);
GeneralSubtree
subTree
=
new
GeneralSubtree
(
gn
,
0
,
-
1
);
return
subTree
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
