Merge

255d2ed6 · mchung · 3aba8472 · d469cf91 · 255d2ed6 · 255d2ed6
5 changed file
--- a/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithRID.java
+++ b/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithRID.java
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6845286
+ * @summary Add regression test for name constraints
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class NameConstraintsWithRID {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICTjCCAbegAwIBAgIJAIoSzC1A/k4vMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxMloXDTMwMDQx\n" +
+        "NzA5MjcxMlowHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUwgZ8wDQYJ\n" +
+        "KoZIhvcNAQEBBQADgY0AMIGJAoGBANXzlv5Fn2cdgBRdEK/37/o8rqQXIRIMZqX6\n" +
+        "BPuo46Cdhctv+n3hu5bj/PwgJVbAJcqcQfDudSSF5gwGlRqDX9vekPSS47XZXjOZ\n" +
+        "qFcnDoWP0gSQXLYVVtjuItkecTrPyUE5v2lRIAh13MGKOSh3ZsrtFvj7Y5d9EqIP\n" +
+        "SLxWWPuHAgMBAAGjgZEwgY4wHQYDVR0OBBYEFFydJvQMB2j4EDHW2bQabNsPUvDt\n" +
+        "ME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsPUvDtoSOkITAfMQswCQYDVQQG\n" +
+        "EwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A/k4vMA8GA1UdEwEB/wQFMAMB\n" +
+        "Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA4GBAHgoopmZ1Q4qXhMDbbYQ\n" +
+        "YCi4Cg6cXPFblx5gzhWu/6l9SkvZbAZiLszgyMq5dGj9WyTtibNEp232dQsKTFu7\n" +
+        "3ag0DiFqoQ8btgvbwBlzhnRagoeVFjhuBBQutOScw7x8NCSBkZQow+31127mwu3y\n" +
+        "YGYhEmI2dNmgbv1hVYTGmLXW\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICdTCCAd6gAwIBAgIJAL+MYVyy7k5YMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxNFoXDTI5MDEy\n" +
+        "MjA5MjcxNFowMTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUxEDAOBgNV\n" +
+        "BAsTB0NsYXNzLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2mwX8dhP3M\n" +
+        "i6ATRsd0wco+c7rsyEbP0CRQunVIP8/kOL8+zyQix+QZquY23tvBCbia424GXDkT\n" +
+        "irvK/M4yGzrdS51hA5dlH3SHY3CWOAqEPqKtNLn1My4MWtTiUWbHi0YjFuOv0BXz\n" +
+        "x9lTEfMf+3QcOgO5FitcqHIMP4jIlT+lAgMBAAGjgaYwgaMwHQYDVR0OBBYEFJHg\n" +
+        "eyEWcjxcAwc01BPQrau/4HJaME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsP\n" +
+        "UvDtoSOkITAfMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A\n" +
+        "/k4vMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBMGA1UdHgQMMAqhCDAG\n" +
+        "iAQqAwQFMA0GCSqGSIb3DQEBBQUAA4GBAI3CDQWZiTlVVVqfCiZwc/yIL7G5bu2g\n" +
+        "ccgVz9PyKfTpq8vk59S23TvPwdPt4ZVx4RSoar9ONtbrcLxfP3X6WQ7e9popWNZV\n" +
+        "q49YfyU1tD5HFuxj7CAsvfykuRo4ovXaTCVWlTMi7fJJdzU0Eb4xkXXhiWT/RbHG\n" +
+        "R7J+8ROMZ+nR\n" +
+        "-----END CERTIFICATE-----";
+
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIJAOA8c10w019XMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFzcy0xMB4XDTA5\n" +
+        "MDUwNzEwMjY0M1oXDTI5MDEyMjEwMjY0M1owQTELMAkGA1UEBhMCVVMxEDAOBgNV\n" +
+        "BAoTB0V4YW1wbGUxEDAOBgNVBAsTB0NsYXNzLTExDjAMBgNVBAMTBVN1c2FuMIGf\n" +
+        "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmyS8SskMX3mreD95oBaXUGNvPTK0\n" +
+        "39IBdxle2TpJEBL/BcS4QUb2+67WjrXhUZWFtpc4RzywfvSSxZH2wbwDDJPs56OC\n" +
+        "Eczsdnqe7gOroYm2TMfY0/pItgP3mRkhJpxAWFc/y7Qr8jJbPmKfiYbYROp1eR2t\n" +
+        "BrjUiUTrAtM7GwIDAQABo2AwXjALBgNVHQ8EBAMCA+gwDwYDVR0RBAgwBogEKgME\n" +
+        "BTAdBgNVHQ4EFgQUyqtfkWtPah5J658LHN8CEGIgAbgwHwYDVR0jBBgwFoAUkeB7\n" +
+        "IRZyPFwDBzTUE9Ctq7/gclowDQYJKoZIhvcNAQEFBQADgYEAnwaLBteuJhXF56Rg\n" +
+        "l8FIEzgJtT4yu/8WsYjhN6/aLGkgJ37VavWdhjwXIb1RVJE/ab3hTbWF5ht7jMcQ\n" +
+        "/WnD8R8CpwEEX/n2wpb3zMHZ8zT7k0mWYm10mPHw1psjOUvJd/zB4gT4tc2A2soM\n" +
+        "FbcNIaCtg8blO5ImdOz5hAi+NuY=\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(subCaCertStr.getBytes());
+        Certificate subCaCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, subCaCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 8));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // disable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "false");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+            throw new Exception(
+                "the subjectAltName is excluded by NameConstraints, " +
+                "should thrown CertPathValidatorException");
+        } catch (CertPathValidatorException uoe) {
+            // that is the expected exception.
+        }
+    }
+}
--- a/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithUnexpectedRID.java
+++ b/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithUnexpectedRID.java
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6845286
+ * @summary Add regression test for name constraints
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class NameConstraintsWithUnexpectedRID {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICTjCCAbegAwIBAgIJAIoSzC1A/k4vMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxMloXDTMwMDQx\n" +
+        "NzA5MjcxMlowHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUwgZ8wDQYJ\n" +
+        "KoZIhvcNAQEBBQADgY0AMIGJAoGBANXzlv5Fn2cdgBRdEK/37/o8rqQXIRIMZqX6\n" +
+        "BPuo46Cdhctv+n3hu5bj/PwgJVbAJcqcQfDudSSF5gwGlRqDX9vekPSS47XZXjOZ\n" +
+        "qFcnDoWP0gSQXLYVVtjuItkecTrPyUE5v2lRIAh13MGKOSh3ZsrtFvj7Y5d9EqIP\n" +
+        "SLxWWPuHAgMBAAGjgZEwgY4wHQYDVR0OBBYEFFydJvQMB2j4EDHW2bQabNsPUvDt\n" +
+        "ME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsPUvDtoSOkITAfMQswCQYDVQQG\n" +
+        "EwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A/k4vMA8GA1UdEwEB/wQFMAMB\n" +
+        "Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA4GBAHgoopmZ1Q4qXhMDbbYQ\n" +
+        "YCi4Cg6cXPFblx5gzhWu/6l9SkvZbAZiLszgyMq5dGj9WyTtibNEp232dQsKTFu7\n" +
+        "3ag0DiFqoQ8btgvbwBlzhnRagoeVFjhuBBQutOScw7x8NCSBkZQow+31127mwu3y\n" +
+        "YGYhEmI2dNmgbv1hVYTGmLXW\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICdTCCAd6gAwIBAgIJAL+MYVyy7k5YMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxNFoXDTI5MDEy\n" +
+        "MjA5MjcxNFowMTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUxEDAOBgNV\n" +
+        "BAsTB0NsYXNzLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2mwX8dhP3M\n" +
+        "i6ATRsd0wco+c7rsyEbP0CRQunVIP8/kOL8+zyQix+QZquY23tvBCbia424GXDkT\n" +
+        "irvK/M4yGzrdS51hA5dlH3SHY3CWOAqEPqKtNLn1My4MWtTiUWbHi0YjFuOv0BXz\n" +
+        "x9lTEfMf+3QcOgO5FitcqHIMP4jIlT+lAgMBAAGjgaYwgaMwHQYDVR0OBBYEFJHg\n" +
+        "eyEWcjxcAwc01BPQrau/4HJaME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsP\n" +
+        "UvDtoSOkITAfMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A\n" +
+        "/k4vMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBMGA1UdHgQMMAqhCDAG\n" +
+        "iAQqAwQFMA0GCSqGSIb3DQEBBQUAA4GBAI3CDQWZiTlVVVqfCiZwc/yIL7G5bu2g\n" +
+        "ccgVz9PyKfTpq8vk59S23TvPwdPt4ZVx4RSoar9ONtbrcLxfP3X6WQ7e9popWNZV\n" +
+        "q49YfyU1tD5HFuxj7CAsvfykuRo4ovXaTCVWlTMi7fJJdzU0Eb4xkXXhiWT/RbHG\n" +
+        "R7J+8ROMZ+nR\n" +
+        "-----END CERTIFICATE-----";
+
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICTzCCAbigAwIBAgIJAOA8c10w019UMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFzcy0xMB4XDTA5\n" +
+        "MDUwNzA5NTg0OVoXDTI5MDEyMjA5NTg0OVowQTELMAkGA1UEBhMCVVMxEDAOBgNV\n" +
+        "BAoTB0V4YW1wbGUxEDAOBgNVBAsTB0NsYXNzLTExDjAMBgNVBAMTBUFsaWNlMIGf\n" +
+        "MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfekJF8IZeOe3Ff1rexVyx9yTmPSKh\n" +
+        "itEW7tW9m8DgqLGDptJLmbexvUCWNkFquQW1J8sjzjqrkIk8amA2SlHQ6Z15RoxC\n" +
+        "E19qi5V5ms97X3lyuJcwwtT24J5PBk9ic/V6zclsNXSj/NoqlciKMxyvRy9zWk6Z\n" +
+        "W5cVDf7DTzN2cwIDAQABo18wXTALBgNVHQ8EBAMCA+gwDgYDVR0RBAcwBYgDKgME\n" +
+        "MB0GA1UdDgQWBBRh8rvMhT17VI+S3pCVzTwQzVMjOTAfBgNVHSMEGDAWgBSR4Hsh\n" +
+        "FnI8XAMHNNQT0K2rv+ByWjANBgkqhkiG9w0BAQUFAAOBgQCNDnJ0Jz37+SmO9uRJ\n" +
+        "z5Rr15oJAKsde5LGhghHZwTTYInOwGOYAABkWRB7JhUHNjIoQg9veqObSHEgcYMh\n" +
+        "ZmO3rklIxyTeoyn86KR49cdvQUoqEhx1jKrEbFBsAwSbJDw//S+wNYgMHYtcynf4\n" +
+        "dcVScVdLUDeqE/3f+5yt1JPRuA==\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(subCaCertStr.getBytes());
+        Certificate subCaCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, subCaCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 8));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // disable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "false");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+            throw new Exception("Should thrown UnsupportedOperationException");
+        } catch (UnsupportedOperationException uoe) {
+            // that is the expected exception.
+        }
+    }
+}
--- a/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithoutRID.java
+++ b/test/java/security/cert/CertPathValidator/nameConstraints/NameConstraintsWithoutRID.java
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6845286
+ * @summary Add regression test for name constraints
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+import java.security.cert.CertPathValidatorException.BasicReason;
+
+public class NameConstraintsWithoutRID {
+
+    static String selfSignedCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICTjCCAbegAwIBAgIJAIoSzC1A/k4vMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxMloXDTMwMDQx\n" +
+        "NzA5MjcxMlowHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUwgZ8wDQYJ\n" +
+        "KoZIhvcNAQEBBQADgY0AMIGJAoGBANXzlv5Fn2cdgBRdEK/37/o8rqQXIRIMZqX6\n" +
+        "BPuo46Cdhctv+n3hu5bj/PwgJVbAJcqcQfDudSSF5gwGlRqDX9vekPSS47XZXjOZ\n" +
+        "qFcnDoWP0gSQXLYVVtjuItkecTrPyUE5v2lRIAh13MGKOSh3ZsrtFvj7Y5d9EqIP\n" +
+        "SLxWWPuHAgMBAAGjgZEwgY4wHQYDVR0OBBYEFFydJvQMB2j4EDHW2bQabNsPUvDt\n" +
+        "ME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsPUvDtoSOkITAfMQswCQYDVQQG\n" +
+        "EwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A/k4vMA8GA1UdEwEB/wQFMAMB\n" +
+        "Af8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA4GBAHgoopmZ1Q4qXhMDbbYQ\n" +
+        "YCi4Cg6cXPFblx5gzhWu/6l9SkvZbAZiLszgyMq5dGj9WyTtibNEp232dQsKTFu7\n" +
+        "3ag0DiFqoQ8btgvbwBlzhnRagoeVFjhuBBQutOScw7x8NCSBkZQow+31127mwu3y\n" +
+        "YGYhEmI2dNmgbv1hVYTGmLXW\n" +
+        "-----END CERTIFICATE-----";
+
+    static String subCaCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICdTCCAd6gAwIBAgIJAL+MYVyy7k5YMA0GCSqGSIb3DQEBBQUAMB8xCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMB4XDTA5MDUwNzA5MjcxNFoXDTI5MDEy\n" +
+        "MjA5MjcxNFowMTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGUxEDAOBgNV\n" +
+        "BAsTB0NsYXNzLTEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2mwX8dhP3M\n" +
+        "i6ATRsd0wco+c7rsyEbP0CRQunVIP8/kOL8+zyQix+QZquY23tvBCbia424GXDkT\n" +
+        "irvK/M4yGzrdS51hA5dlH3SHY3CWOAqEPqKtNLn1My4MWtTiUWbHi0YjFuOv0BXz\n" +
+        "x9lTEfMf+3QcOgO5FitcqHIMP4jIlT+lAgMBAAGjgaYwgaMwHQYDVR0OBBYEFJHg\n" +
+        "eyEWcjxcAwc01BPQrau/4HJaME8GA1UdIwRIMEaAFFydJvQMB2j4EDHW2bQabNsP\n" +
+        "UvDtoSOkITAfMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXhhbXBsZYIJAIoSzC1A\n" +
+        "/k4vMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMBMGA1UdHgQMMAqhCDAG\n" +
+        "iAQqAwQFMA0GCSqGSIb3DQEBBQUAA4GBAI3CDQWZiTlVVVqfCiZwc/yIL7G5bu2g\n" +
+        "ccgVz9PyKfTpq8vk59S23TvPwdPt4ZVx4RSoar9ONtbrcLxfP3X6WQ7e9popWNZV\n" +
+        "q49YfyU1tD5HFuxj7CAsvfykuRo4ovXaTCVWlTMi7fJJdzU0Eb4xkXXhiWT/RbHG\n" +
+        "R7J+8ROMZ+nR\n" +
+        "-----END CERTIFICATE-----";
+
+    static String targetCertStr =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPTCCAaagAwIBAgIJAOA8c10w019WMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNV\n" +
+        "BAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFzcy0xMB4XDTA5\n" +
+        "MDUwNzEwMjY0MloXDTI5MDEyMjEwMjY0MlowPzELMAkGA1UEBhMCVVMxEDAOBgNV\n" +
+        "BAoTB0V4YW1wbGUxEDAOBgNVBAsTB0NsYXNzLTExDDAKBgNVBAMTA0JvYjCBnzAN\n" +
+        "BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx4N+y29y5mAGnVQHA3x3fQehxm3nFohQ\n" +
+        "gKV10bZ24/hwZn6rZXG6VsBaqkrgw7ipRZzk99etihAomAFL9k0q/0nxFP/Ovwio\n" +
+        "NzacF3vpv85FF6ATwY1Zs+p4hfxU3WnnyyS9la9Z3o5QBhQbV/WjA/JSG5+ImQFp\n" +
+        "nLkPfzU4wXECAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTxUJG+QewS\n" +
+        "rSGcuiJy+K4gb1g/BzAfBgNVHSMEGDAWgBSR4HshFnI8XAMHNNQT0K2rv+ByWjAN\n" +
+        "BgkqhkiG9w0BAQUFAAOBgQA9fDeTtSXmP/MEni0vtAmgTPd6R31NcPWKibDizwYS\n" +
+        "BWjUMcbTN8xeXjm4uQLMK8ZQy2+cmNrTvQ59BZ8Y97y7SJUcBLOW5eivO/mKuBsC\n" +
+        "ACB9IxBUGVEwNup7KJ5ixox5jKt+qPwzCheyQQb9NEDJdB0YaHRhFpCcpCFak8yK\n" +
+        "/A==\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(targetCertStr.getBytes());
+        Certificate targetCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(subCaCertStr.getBytes());
+        Certificate subCaCert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        targetCert, subCaCert, selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    public static void main(String args[]) throws Exception {
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 5, 8));   // 2009-05-01
+
+        // disable OCSP checker
+        Security.setProperty("ocsp.enable", "false");
+
+        // disable CRL checker
+        System.setProperty("com.sun.security.enableCRLDP", "false");
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        try {
+            validator.validate(path, params);
+        } catch (CertPathValidatorException uoe) {
+            // unexpected exception, rethrow it.
+            throw uoe;
+        }
+    }
+}
--- a/test/java/security/cert/CertPathValidator/nameConstraints/generate.sh
+++ b/test/java/security/cert/CertPathValidator/nameConstraints/generate.sh
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#!/bin/ksh
+#
+# needs ksh to run the script.
+OPENSSL=openssl
+
+# generate a self-signed root certificate
+if [ ! -f root/root_cert.pem ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
+        -out root/root_cert.pem -subj "/C=US/O=Example" \
+        -config openssl.cnf -reqexts cert_issuer -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+fi
+
+# generate subca cert issuer
+if [ ! -f subca/subca_cert.pem ]; then
+    if [ ! -d subca ]; then
+        mkdir subca
+    fi
+
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key.pem \
+        -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    ${OPENSSL} x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert.pem \
+        -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Alice
+if [ ! -f subca/alice/alice_cert.pem ]; then
+    if [ ! -d subca/alice ]; then
+        mkdir -p subca/alice
+    fi
+
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
+        -out subca/alice/alice_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    ${OPENSSL} x509 -req -in subca/alice/alice_req.pem \
+        -extfile openssl.cnf -extensions alice_of_subca \
+        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+        -out subca/alice/alice_cert.pem -CAcreateserial \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Bob
+if [ ! -f subca/bob/bob.pem ]; then
+    if [ ! -d subca/bob ]; then
+        mkdir -p subca/bob
+    fi
+
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
+        -out subca/bob/bob_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    ${OPENSSL} x509 -req -in subca/bob/bob_req.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+        -out subca/bob/bob_cert.pem -CAcreateserial \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
+# generate certifiacte for Susan
+if [ ! -f subca/susan/susan_cert.pem ]; then
+    if [ ! -d subca/susan ]; then
+        mkdir -p subca/susan
+    fi
+
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
+        -out subca/susan/susan_req.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    ${OPENSSL} x509 -req -in subca/susan/susan_req.pem \
+        -extfile openssl.cnf -extensions susan_of_subca \
+        -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
+        -out subca/susan/susan_cert.pem -CAcreateserial \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+fi
+
--- a/test/java/security/cert/CertPathValidator/nameConstraints/openssl.cnf
+++ b/test/java/security/cert/CertPathValidator/nameConstraints/openssl.cnf
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#
+# OpenSSL configuration file.
+#
+
+HOME                = .
+RANDFILE            = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca          = CA_default
+
+[ CA_default ]
+dir                 = ./top
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_top ]
+dir                 = ./root
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_subca ]
+dir                 = ./subca
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+
+certificate         = $dir/cacert.pem
+serial              = $dir/serial 
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem 
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = usr_cert
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ policy_match ]
+countryName         = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ policy_anything ]
+countryName         = optional
+stateOrProvinceName = optional
+localityName        = optional
+organizationName    = optional
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ req ]
+default_bits        = 1024
+default_keyfile     = privkey.pem
+distinguished_name  = req_distinguished_name
+attributes          = req_attributes
+x509_extensions     = v3_ca
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName         = Country Name (2 letter code)
+countryName_default = NO
+countryName_min     = 2
+countryName_max     = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default  = A-State
+
+localityName        = Locality Name (eg, city)
+
+0.organizationName  = Organization Name (eg, company)
+0.organizationName_default   = Internet Widgits Pty Ltd
+
+organizationalUnitName       = Organizational Unit Name (eg, section)
+
+commonName              = Common Name (eg, YOUR name)
+commonName_max          = 64
+
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+challengePassword       = A challenge password
+challengePassword_min   = 4
+challengePassword_max   = 20
+unstructuredName        = An optional company name
+
+
+[ usr_cert ]
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+[ v3_req ]
+basicConstraints        = CA:FALSE
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName          = email:example@openjdk.net, RID:1.2.3.4:true
+
+[ v3_ca ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+
+[ cert_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+nameConstraints         = excluded;RID:1.2.3.4.5
+
+[ crl_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+keyUsage                = cRLSign
+
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always,issuer:always
+
+[ ee_of_subca ]
+keyUsage    = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+[ alice_of_subca ]
+keyUsage    = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+subjectAltName          = RID:1.2.3.4
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+[ susan_of_subca ]
+keyUsage    = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+subjectAltName          = RID:1.2.3.4.5
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer