6861062: Disable MD2 support

Reviewed-by: mullan, weijun

src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java

+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.security.provider.certpath;
+
+import java.util.Set;
+import java.util.Collection;
+import java.util.Locale;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.cert.X509CRL;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.PKIXCertPathChecker;
+
+import sun.security.x509.AlgorithmId;
+
+/**
+ * AlgorithmChecker is a <code>PKIXCertPathChecker</code> that checks that
+ * the signature algorithm of the specified certificate is not disabled.
+ *
+ * @author      Xuelei Fan
+ */
+final public class AlgorithmChecker extends PKIXCertPathChecker {
+
+    // the disabled algorithms
+    private static final String[] disabledAlgorithms = new String[] {"md2"};
+
+    // singleton instance
+    static final AlgorithmChecker INSTANCE = new AlgorithmChecker();
+
+    /**
+     * Default Constructor
+     */
+    private AlgorithmChecker() {
+        // do nothing
+    }
+
+    /**
+     * Return a AlgorithmChecker instance.
+     */
+    static AlgorithmChecker getInstance() {
+        return INSTANCE;
+    }
+
+    /**
+     * Initializes the internal state of the checker from parameters
+     * specified in the constructor.
+     */
+    public void init(boolean forward) throws CertPathValidatorException {
+        // do nothing
+    }
+
+    public boolean isForwardCheckingSupported() {
+        return false;
+    }
+
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    /**
+     * Checks the signature algorithm of the specified certificate.
+     */
+    public void check(Certificate cert, Collection<String> unresolvedCritExts)
+            throws CertPathValidatorException {
+        check(cert);
+    }
+
+    public static void check(Certificate cert)
+            throws CertPathValidatorException {
+        X509Certificate xcert = (X509Certificate)cert;
+        check(xcert.getSigAlgName());
+    }
+
+    static void check(AlgorithmId aid) throws CertPathValidatorException {
+        check(aid.getName());
+    }
+
+    static void check(X509CRL crl) throws CertPathValidatorException {
+        check(crl.getSigAlgName());
+    }
+
+    private static void check(String algName)
+            throws CertPathValidatorException {
+
+        String lowerCaseAlgName = algName.toLowerCase(Locale.ENGLISH);
+
+        for (String disabled : disabledAlgorithms) {
+            // checking the signature algorithm name
+            if (lowerCaseAlgName.indexOf(disabled) != -1) {
+                throw new CertPathValidatorException(
+                    "algorithm check failed: " + algName + " is disabled");
+            }
+        }
+    }
+
+}

src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java

@@ -309,6 +309,16 @@ class DistributionPointFetcher {
         X500Name certIssuer = (X500Name) certImpl.getIssuerDN();
         X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN();
 
+        // check the crl signature algorithm
+        try {
+            AlgorithmChecker.check(crl);
+        } catch (CertPathValidatorException cpve) {
+            if (debug != null) {
+                debug.println("CRL signature algorithm check failed: " + cpve);
+            }
+            return false;
+        }
+
         // if crlIssuer is set, verify that it matches the issuer of the
         // CRL and the CRL contains an IDP extension with the indirectCRL
         // boolean asserted. Otherwise, verify that the CRL issuer matches the

src/share/classes/sun/security/provider/certpath/ForwardBuilder.java

@@ -715,6 +715,11 @@ class ForwardBuilder extends Builder {
 
         /* we don't perform any validation of the trusted cert */
         if (!isTrustedCert) {
+            /*
+             * check that the signature algorithm is not disabled.
+             */
+            AlgorithmChecker.check(cert);
+
             /*
              * Check CRITICAL private extensions for user checkers that
              * support forward checking (forwardCheckers) and remove

src/share/classes/sun/security/provider/certpath/OCSPChecker.java

@@ -297,12 +297,29 @@ class OCSPChecker extends PKIXCertPathChecker {
                     }
                     if (filter != null) {
                         List<CertStore> certStores = pkixParams.getCertStores();
+                        AlgorithmChecker algChecker=
+                                                AlgorithmChecker.getInstance();
                         for (CertStore certStore : certStores) {
-                            Iterator i =
-                                certStore.getCertificates(filter).iterator();
-                            if (i.hasNext()) {
-                                responderCert = (X509Certificate) i.next();
-                                seekResponderCert = false; // done
+                            for (Certificate selected :
+                                    certStore.getCertificates(filter)) {
+                                try {
+                                    // don't bother to trust algorithm disabled
+                                    // certificate as responder
+                                    algChecker.check(selected);
+
+                                    responderCert = (X509Certificate)selected;
+                                    seekResponderCert = false; // done
+                                    break;
+                                } catch (CertPathValidatorException cpve) {
+                                    if (DEBUG != null) {
+                                        DEBUG.println(
+                                            "OCSP responder certificate " +
+                                            "algorithm check failed: " + cpve);
+                                    }
+                                }
+                            }
+
+                            if (!seekResponderCert) {
                                 break;
                             }
                         }

src/share/classes/sun/security/provider/certpath/OCSPResponse.java

@@ -230,6 +230,11 @@ class OCSPResponse {
                 new DerInputStream(derIn.getOctetString());
 
             DerValue[]  seqTmp = basicOCSPResponse.getSequence(2);
+
+            if (seqTmp.length < 3) {
+                throw new IOException("Unexpected BasicOCSPResponse value");
+            }
+
             DerValue responseData = seqTmp[0];
 
             // Need the DER encoded ResponseData to verify the signature later
@@ -312,6 +317,9 @@ class OCSPResponse {
             // signatureAlgorithmId
             sigAlgId = AlgorithmId.parse(seqTmp[1]);
 
+            // check that the signature algorithm is not disabled.
+            AlgorithmChecker.check(sigAlgId);
+
             // signature
             byte[] signature = seqTmp[2].getBitString();
             X509CertImpl[] x509Certs = null;
@@ -345,6 +353,9 @@ class OCSPResponse {
                 } else if (cert.getIssuerX500Principal().equals(
                     responderCert.getSubjectX500Principal())) {
 
+                    // check the certificate algorithm
+                    AlgorithmChecker.check(cert);
+
                     // Check for the OCSPSigning key purpose
                     List<String> keyPurposes = cert.getExtendedKeyUsage();
                     if (keyPurposes == null ||

src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java

 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -276,6 +276,7 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
         int certPathLen = certList.size();
 
         basicChecker = new BasicChecker(anchor, testDate, sigProvider, false);
+        AlgorithmChecker algorithmChecker= AlgorithmChecker.getInstance();
         KeyChecker keyChecker = new KeyChecker(certPathLen,
             pkixParam.getTargetCertConstraints());
         ConstraintsChecker constraintsChecker =
@@ -292,6 +293,7 @@ public class PKIXCertPathValidator extends CertPathValidatorSpi {
         ArrayList<PKIXCertPathChecker> certPathCheckers =
             new ArrayList<PKIXCertPathChecker>();
         // add standard checkers that we will be using
+        certPathCheckers.add(algorithmChecker);
         certPathCheckers.add(keyChecker);
         certPathCheckers.add(constraintsChecker);
         certPathCheckers.add(policyChecker);

src/share/classes/sun/security/provider/certpath/ReverseBuilder.java

 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -347,6 +347,9 @@ class ReverseBuilder extends Builder {
             return;
         }
 
+        /* check that the signature algorithm is not disabled. */
+        AlgorithmChecker.check(cert);
+
         /*
          * check for looping - abort a loop if
          * ((we encounter the same certificate twice) AND

src/share/classes/sun/security/validator/SimpleValidator.java

@@ -40,6 +40,8 @@ import sun.security.util.DerInputStream;
 import sun.security.util.DerOutputStream;
 import sun.security.util.ObjectIdentifier;
 
+import sun.security.provider.certpath.AlgorithmChecker;
+
 /**
  * A simple validator implementation. It is based on code from the JSSE
  * X509TrustManagerImpl. This implementation is designed for compatibility with
@@ -134,6 +136,13 @@ public final class SimpleValidator extends Validator {
             X509Certificate issuerCert = chain[i + 1];
             X509Certificate cert = chain[i];
 
+            // check certificate algorithm
+            try {
+                AlgorithmChecker.check(cert);
+            } catch (CertPathValidatorException cpve) {
+                throw new ValidatorException
+                        (ValidatorException.T_ALGORITHM_DISABLED, cert, cpve);
+            }
 
             // no validity check for code signing certs
             if ((variant.equals(VAR_CODE_SIGNING) == false)

src/share/classes/sun/security/validator/ValidatorException.java

 /*
- * Copyright 2002-2003 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -55,6 +55,9 @@ public class ValidatorException extends CertificateException {
     public final static Object T_NAME_CHAINING =
         "Certificate chaining error";
 
+    public final static Object T_ALGORITHM_DISABLED =
+        "Certificate signature algorithm disabled";
+
     private Object type;
     private X509Certificate cert;
 

test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorEndEntity.java

+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6861062
+ * @summary Disable MD2 support
+ *
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+
+public class CPValidatorEndEntity {
+
+    // SHA1withRSA 1024
+    static String trustAnchor_SHA1withRSA_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC8UdC863pFk1Rvd7xUYd60+e9KsLhb6SqOfU42ZA715FcH\n" +
+        "E1TRvQPmYzAnHcO04TrWZQtO6E+E2RCmeBnetBvIMVka688QkO14wnrIrf2tRodd\n" +
+        "rZNZEBzkX+zyXCRo9tKEUDFf9Qze7Ilbb+Zzm9CUfu4M1Oz6iQcXRx7aM0jEAQID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBTn0C+xmZY/BTab4W9gBp3dGa7WgjBHBgNVHSME\n" +
+        "QDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEFBQADgYEAiCXL2Yp4ruyRXAIJ8zBEaPC9oV2agqgbSbly2z8z\n" +
+        "Ik5SeSRysP+GHBpb8uNyANJnQKv+T0GrJiTLMBjKCOiJl6xzk3EZ2wbQB6G/SQ9+\n" +
+        "UWcsXSC8oGSEPpkj5In/9/UbuUIfT9H8jmdyLNKQvlqgq6kyfnskME7ptGgT95Hc\n" +
+        "tas=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512
+    static String trustAnchor_SHA1withRSA_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBuTCCAWOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMFwwDQYJKoZIhvcNAQEB\n" +
+        "BQADSwAwSAJBAM0Kn4ieCdCHsrm78ZMMN4jQEEEqACAMKB7O8j9g4gfz2oAfmHwv\n" +
+        "7JH/hZ0Xen1zUmBbwe+e2J5D/4Fisp9Bn98CAwEAAaOBiTCBhjAdBgNVHQ4EFgQU\n" +
+        "g4Kwd47hdNQBp8grZsRJ5XvhvxAwRwYDVR0jBEAwPoAUg4Kwd47hdNQBp8grZsRJ\n" +
+        "5XvhvxChI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMA8G\n" +
+        "A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA0EAn77b\n" +
+        "FJx+HvyRvjZYCzMjnUct3Ql4iLOkURYDh93J5TXi/l9ajvAMEuwzYj0qZ+Ktm/ia\n" +
+        "U5r+8B9nzx+j2Zh3kw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 1024
+    static String intermediate_SHA1withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDhaFw0yOTA0MjMwMTExNDha\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAHze3wAcIe84zNOoN\n" +
+        "P8l9EmlVVoU30z3LB3hxq3m/dC/4gE5Z9Z8EG1wJw4qaxlTZ4dif12nbTTdofVhb\n" +
+        "Bd4syjo6fcUA4q7sfg9TFpoHQ+Ap7PgjK99moMKdMy50Xy8s6FPvaVkF89s66Z6y\n" +
+        "e4q7TSwe6QevGOZaL5N/iy2XGEs=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 512
+    static String intermediate_SHA1withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBSDgrB3juF01AGnyCtmxEnle+G/EKEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADQQCYNmdkONfuk07XjRze\n" +
+        "WQyq2cfdae4uIdyUfa2rpgYMtSXuQW3/XrQGiz4G6WBXA2wo7folOOpAKYgvHPrm\n" +
+        "w6Dd\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 1024
+    static String intermediate_SHA1withRSA_512_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDDCCAXWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKubXYoEHZpZkhzA9XX+NrpqJ4SV\n" +
+        "lOMBoL3aWExQpJIgrUaZfbGMBBozIHBJMMayokguHbJvq4QigEgLuhfJNqsCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQUN0CHiTYPtjyvpP2a6y6mhsZ6U40wRwYDVR0jBEAw\n" +
+        "PoAU59AvsZmWPwU2m+FvYAad3Rmu1oKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA4GBAE2VOlw5ySLT3gUzKCYEga4QPaSrf6lHHPi2g48LscEY\n" +
+        "h9qQXh4nuIVugReBIEf6N49RdT+M2cgRJo4sZ3ukYLGQzxNuttL5nPSuuvrAR1oG\n" +
+        "LUyzOWcUpKHbVHi6zlTt79RvTKZvLcduLutmtPtLJcM9PdiAI1wEooSgxTwZtB/Z\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 512
+    static String intermediate_SHA1withRSA_512_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIByzCCAXWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKubXYoEHZpZkhzA9XX+NrpqJ4SV\n" +
+        "lOMBoL3aWExQpJIgrUaZfbGMBBozIHBJMMayokguHbJvq4QigEgLuhfJNqsCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQUN0CHiTYPtjyvpP2a6y6mhsZ6U40wRwYDVR0jBEAw\n" +
+        "PoAUg4Kwd47hdNQBp8grZsRJ5XvhvxChI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA0EAoCf0Zu559qcB4xPpzqkVsYiyW49S4Yc0mmQXb1yoQgLx\n" +
+        "O+DCkjG5d14+t1MsnkhB2izoQUMxQ3vDc1YnA/tEpw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 1024
+    static String intermediate_MD2withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBBjANBgkqhkiG9w0BAQIFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEAPtEjwbWuC5kc4DPc\n" +
+        "Ttf/wdbD8ZCdAWzcc3XF9q1TlvwVMNk6mbfM05y6ZVsztKTkwZ4EcvFu/yIqw1EB\n" +
+        "E1zlXQCaWXT3/ZMbqYZV4+mx+RUl8spUCb1tda25jnTg3mTOzB1iztm4gy903EMd\n" +
+        "m8omKDKeCgcw5dR4ITQYvyxe1as=\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 512
+    static String intermediate_MD2withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBBzANBgkqhkiG9w0BAQIFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBSDgrB3juF01AGnyCtmxEnle+G/EKEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQECBQADQQBHok1v6xymtpB7N9xy\n" +
+        "0OmDT27uhmzlP0eOzJvXVxj3Oi9TLQJgCUJ9122MzfRAs1E1uJTtvuu+UmI80NQx\n" +
+        "KQdp\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 1024
+    static String endentiry_SHA1withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTBaFw0yOTA0MjMwMTExNTBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAy6/2g3rxQzJEvTyOnBcEnZthmAD0AnP6LG8b35jt\n" +
+        "vh71LHbF1FhkOT42Rfg20aBfWTMRf+FeOJBXpD4gCNjQA40vy8FaQxgYNAf7ho5v\n" +
+        "z6yAEE6SG7YviE+XGcvpQo47w8c6QSQjpBzdw7JxwbVlzUT7pF8x3RnXlGhWnWv6\n" +
+        "c1ECAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSaXXERsow2Wm/6uT07\n" +
+        "OorBleV92TAfBgNVHSMEGDAWgBTfWD9mRTppcUAlUqGuu/R5t8CB5jANBgkqhkiG\n" +
+        "9w0BAQUFAAOBgQAOfIeasDg91CR3jGfuAEVKwncM1OPFmniAUcdPm74cCAyJ90Me\n" +
+        "dhUElWPGoAuXGfiyZlOlGUYWqEroe/dnkmnotJjLWR+MA4ZyX3O1YI8T4W3deWcC\n" +
+        "J4WMCF7mp17SaYYKX9F0AxwNJFpUkbB41IkTxPr0MmzB1871/pbY8dLAvA==\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 512
+    static String endentiry_SHA1withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB9jCCAaCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTBaFw0yOTA0MjMwMTExNTBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAy6/2g3rxQzJEvTyOnBcEnZthmAD0AnP6LG8b35jt\n" +
+        "vh71LHbF1FhkOT42Rfg20aBfWTMRf+FeOJBXpD4gCNjQA40vy8FaQxgYNAf7ho5v\n" +
+        "z6yAEE6SG7YviE+XGcvpQo47w8c6QSQjpBzdw7JxwbVlzUT7pF8x3RnXlGhWnWv6\n" +
+        "c1ECAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSaXXERsow2Wm/6uT07\n" +
+        "OorBleV92TAfBgNVHSMEGDAWgBQ3QIeJNg+2PK+k/ZrrLqaGxnpTjTANBgkqhkiG\n" +
+        "9w0BAQUFAANBADV6X+ea0ftEKXy7yKNAbdIp35893T6AVwbdclomPkeOs86OtoTG\n" +
+        "1BIzWSK9QE7W6Wbf63e2RdcqoLK+DxsuwUg=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 1024
+    static String endentiry_SHA1withRSA_512_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB8zCCAVygAwIBAgIBBDANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTFaFw0yOTA0MjMwMTExNTFaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" +
+        "DQEBAQUAA0sAMEgCQQCpfQzhld7w2JhW/aRaLkmrLrc/QAsQE+J4DXioXaajsWPo\n" +
+        "uMmYmuiQolb6OIY/LcivSubKM3G5PkAWoovUPIWLAgMBAAGjTzBNMAsGA1UdDwQE\n" +
+        "AwID6DAdBgNVHQ4EFgQUFWuXLkf4Ji57H9ISycgWi982TUIwHwYDVR0jBBgwFoAU\n" +
+        "31g/ZkU6aXFAJVKhrrv0ebfAgeYwDQYJKoZIhvcNAQEFBQADgYEAUyW8PrEdbzLu\n" +
+        "B+h6UemBOJ024rYq90hJE/5wUEKPvxZ9vPEUgl+io6cGhL3cLfxfh6z5xtEGp4Tb\n" +
+        "NB0Ye3Qi01FBiNDY8s3rQRrmel6VysU8u+0Oi2jmQY6vZXn/zXN5rrTLITCaSicG\n" +
+        "dOMv1xLM83Ee432WWlDwKOUxhzDGpWc=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 512
+    static String endentiry_SHA1withRSA_512_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBsjCCAVygAwIBAgIBBTANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTFaFw0yOTA0MjMwMTExNTFaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" +
+        "DQEBAQUAA0sAMEgCQQCpfQzhld7w2JhW/aRaLkmrLrc/QAsQE+J4DXioXaajsWPo\n" +
+        "uMmYmuiQolb6OIY/LcivSubKM3G5PkAWoovUPIWLAgMBAAGjTzBNMAsGA1UdDwQE\n" +
+        "AwID6DAdBgNVHQ4EFgQUFWuXLkf4Ji57H9ISycgWi982TUIwHwYDVR0jBBgwFoAU\n" +
+        "N0CHiTYPtjyvpP2a6y6mhsZ6U40wDQYJKoZIhvcNAQEFBQADQQBG4grtrVEHick0\n" +
+        "z/6Lcl/MGyHT0c8KTXE0AMVXG1NRjAicAmYno/yDaJ9OmfymObKZKV9fF7yCW/N/\n" +
+        "TMU6m7N0\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 1024
+    static String endentiry_MD2withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICNzCCAaCgAwIBAgIBBjANBgkqhkiG9w0BAQIFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTFaFw0yOTA0MjMwMTExNTFaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAy6/2g3rxQzJEvTyOnBcEnZthmAD0AnP6LG8b35jt\n" +
+        "vh71LHbF1FhkOT42Rfg20aBfWTMRf+FeOJBXpD4gCNjQA40vy8FaQxgYNAf7ho5v\n" +
+        "z6yAEE6SG7YviE+XGcvpQo47w8c6QSQjpBzdw7JxwbVlzUT7pF8x3RnXlGhWnWv6\n" +
+        "c1ECAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSaXXERsow2Wm/6uT07\n" +
+        "OorBleV92TAfBgNVHSMEGDAWgBTfWD9mRTppcUAlUqGuu/R5t8CB5jANBgkqhkiG\n" +
+        "9w0BAQIFAAOBgQBxKsFf8NNQcXjDoKJJSG4Rk6ikcrhiGYuUI32+XHvs6hnav1Zc\n" +
+        "aJUpy7J4gMj/MnysMh/4AF9+m6zEEjuisXKUbYZhgtJxz+ukGSo163mJ8QJiAlRb\n" +
+        "Iwsy81r08mlSCR6jx2YhDAUxJIPC92R5Vb4CEutB7tWTwwz7vIHq330erA==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 512
+    static String endentiry_MD2withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIB9jCCAaCgAwIBAgIBBzANBgkqhkiG9w0BAQIFADAxMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA4MDYwMTEx\n" +
+        "NTFaFw0yOTA0MjMwMTExNTFaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
+        "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAy6/2g3rxQzJEvTyOnBcEnZthmAD0AnP6LG8b35jt\n" +
+        "vh71LHbF1FhkOT42Rfg20aBfWTMRf+FeOJBXpD4gCNjQA40vy8FaQxgYNAf7ho5v\n" +
+        "z6yAEE6SG7YviE+XGcvpQo47w8c6QSQjpBzdw7JxwbVlzUT7pF8x3RnXlGhWnWv6\n" +
+        "c1ECAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSaXXERsow2Wm/6uT07\n" +
+        "OorBleV92TAfBgNVHSMEGDAWgBQ3QIeJNg+2PK+k/ZrrLqaGxnpTjTANBgkqhkiG\n" +
+        "9w0BAQIFAANBAIX63Ypi9P71RnC/pcMbhD+wekRFsTzU593X3MC7tyBJtEXwvAZG\n" +
+        "iMxXF5A+ohlr7/CrkV7ZTL8PLxnJdY5Y8rQ=\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath(String castr,
+            String eestr) throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(castr.getBytes());
+        Certificate cacert = cf.generateCertificate(is);
+
+        is = new ByteArrayInputStream(eestr.getBytes());
+        Certificate eecert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        eecert, cacert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        HashSet<TrustAnchor> anchors = new HashSet<TrustAnchor>();
+
+        ByteArrayInputStream is =
+            new ByteArrayInputStream(trustAnchor_SHA1withRSA_1024.getBytes());
+        Certificate cert = cf.generateCertificate(is);
+        TrustAnchor anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        is = new ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
+        cert = cf.generateCertificate(is);
+        anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        return anchors;
+    }
+
+    public static void main(String args[]) throws Exception {
+        try {
+            validate(endentiry_SHA1withRSA_1024_1024,
+                                    intermediate_SHA1withRSA_1024_1024);
+            validate(endentiry_SHA1withRSA_1024_512,
+                                    intermediate_SHA1withRSA_512_1024);
+            validate(endentiry_SHA1withRSA_512_1024,
+                                    intermediate_SHA1withRSA_1024_1024);
+            validate(endentiry_SHA1withRSA_512_512,
+                                    intermediate_SHA1withRSA_512_1024);
+        } catch (CertPathValidatorException cpve) {
+            throw new Exception(
+                "unexpect exception, it is valid cert", cpve);
+        }
+
+        try {
+            validate(endentiry_MD2withRSA_1024_1024,
+                                    intermediate_SHA1withRSA_1024_1024);
+            throw new Exception("expected algorithm disabled exception");
+        } catch (CertPathValidatorException cpve) {
+            System.out.println("Get the expected exception " + cpve);
+        }
+
+        try {
+            validate(endentiry_MD2withRSA_1024_512,
+                                    intermediate_SHA1withRSA_512_1024);
+            throw new Exception("expected algorithm disabled exception");
+        } catch (CertPathValidatorException cpve) {
+            System.out.println("Get the expected exception " + cpve);
+        }
+    }
+
+    private static void validate(String eecert, String cacert)
+            throws CertPathValidatorException, Exception {
+
+        CertPath path = generateCertificatePath(cacert, eecert);
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 9, 1));   // 2009-09-01
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        validator.validate(path, params);
+    }
+
+}

test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorIntermediate.java

+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6861062
+ * @summary Disable MD2 support
+ *
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+
+public class CPValidatorIntermediate {
+
+    // SHA1withRSA 1024
+    static String trustAnchor_SHA1withRSA_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC8UdC863pFk1Rvd7xUYd60+e9KsLhb6SqOfU42ZA715FcH\n" +
+        "E1TRvQPmYzAnHcO04TrWZQtO6E+E2RCmeBnetBvIMVka688QkO14wnrIrf2tRodd\n" +
+        "rZNZEBzkX+zyXCRo9tKEUDFf9Qze7Ilbb+Zzm9CUfu4M1Oz6iQcXRx7aM0jEAQID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBTn0C+xmZY/BTab4W9gBp3dGa7WgjBHBgNVHSME\n" +
+        "QDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEFBQADgYEAiCXL2Yp4ruyRXAIJ8zBEaPC9oV2agqgbSbly2z8z\n" +
+        "Ik5SeSRysP+GHBpb8uNyANJnQKv+T0GrJiTLMBjKCOiJl6xzk3EZ2wbQB6G/SQ9+\n" +
+        "UWcsXSC8oGSEPpkj5In/9/UbuUIfT9H8jmdyLNKQvlqgq6kyfnskME7ptGgT95Hc\n" +
+        "tas=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512
+    static String trustAnchor_SHA1withRSA_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBuTCCAWOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMFwwDQYJKoZIhvcNAQEB\n" +
+        "BQADSwAwSAJBAM0Kn4ieCdCHsrm78ZMMN4jQEEEqACAMKB7O8j9g4gfz2oAfmHwv\n" +
+        "7JH/hZ0Xen1zUmBbwe+e2J5D/4Fisp9Bn98CAwEAAaOBiTCBhjAdBgNVHQ4EFgQU\n" +
+        "g4Kwd47hdNQBp8grZsRJ5XvhvxAwRwYDVR0jBEAwPoAUg4Kwd47hdNQBp8grZsRJ\n" +
+        "5XvhvxChI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMA8G\n" +
+        "A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA0EAn77b\n" +
+        "FJx+HvyRvjZYCzMjnUct3Ql4iLOkURYDh93J5TXi/l9ajvAMEuwzYj0qZ+Ktm/ia\n" +
+        "U5r+8B9nzx+j2Zh3kw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 1024
+    static String intermediate_SHA1withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDhaFw0yOTA0MjMwMTExNDha\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAHze3wAcIe84zNOoN\n" +
+        "P8l9EmlVVoU30z3LB3hxq3m/dC/4gE5Z9Z8EG1wJw4qaxlTZ4dif12nbTTdofVhb\n" +
+        "Bd4syjo6fcUA4q7sfg9TFpoHQ+Ap7PgjK99moMKdMy50Xy8s6FPvaVkF89s66Z6y\n" +
+        "e4q7TSwe6QevGOZaL5N/iy2XGEs=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 1024 signed with RSA 512
+    static String intermediate_SHA1withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBSDgrB3juF01AGnyCtmxEnle+G/EKEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADQQCYNmdkONfuk07XjRze\n" +
+        "WQyq2cfdae4uIdyUfa2rpgYMtSXuQW3/XrQGiz4G6WBXA2wo7folOOpAKYgvHPrm\n" +
+        "w6Dd\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 1024
+    static String intermediate_SHA1withRSA_512_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDDCCAXWgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKubXYoEHZpZkhzA9XX+NrpqJ4SV\n" +
+        "lOMBoL3aWExQpJIgrUaZfbGMBBozIHBJMMayokguHbJvq4QigEgLuhfJNqsCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQUN0CHiTYPtjyvpP2a6y6mhsZ6U40wRwYDVR0jBEAw\n" +
+        "PoAU59AvsZmWPwU2m+FvYAad3Rmu1oKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA4GBAE2VOlw5ySLT3gUzKCYEga4QPaSrf6lHHPi2g48LscEY\n" +
+        "h9qQXh4nuIVugReBIEf6N49RdT+M2cgRJo4sZ3ukYLGQzxNuttL5nPSuuvrAR1oG\n" +
+        "LUyzOWcUpKHbVHi6zlTt79RvTKZvLcduLutmtPtLJcM9PdiAI1wEooSgxTwZtB/Z\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512 signed with RSA 512
+    static String intermediate_SHA1withRSA_512_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIByzCCAXWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKubXYoEHZpZkhzA9XX+NrpqJ4SV\n" +
+        "lOMBoL3aWExQpJIgrUaZfbGMBBozIHBJMMayokguHbJvq4QigEgLuhfJNqsCAwEA\n" +
+        "AaOBiTCBhjAdBgNVHQ4EFgQUN0CHiTYPtjyvpP2a6y6mhsZ6U40wRwYDVR0jBEAw\n" +
+        "PoAUg4Kwd47hdNQBp8grZsRJ5XvhvxChI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" +
+        "CSqGSIb3DQEBBQUAA0EAoCf0Zu559qcB4xPpzqkVsYiyW49S4Yc0mmQXb1yoQgLx\n" +
+        "O+DCkjG5d14+t1MsnkhB2izoQUMxQ3vDc1YnA/tEpw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 1024
+    static String intermediate_MD2withRSA_1024_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICUDCCAbmgAwIBAgIBBjANBgkqhkiG9w0BAQIFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEAPtEjwbWuC5kc4DPc\n" +
+        "Ttf/wdbD8ZCdAWzcc3XF9q1TlvwVMNk6mbfM05y6ZVsztKTkwZ4EcvFu/yIqw1EB\n" +
+        "E1zlXQCaWXT3/ZMbqYZV4+mx+RUl8spUCb1tda25jnTg3mTOzB1iztm4gy903EMd\n" +
+        "m8omKDKeCgcw5dR4ITQYvyxe1as=\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 1024 signed with RSA 512
+    static String intermediate_MD2withRSA_1024_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICDzCCAbmgAwIBAgIBBzANBgkqhkiG9w0BAQIFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDlaFw0yOTA0MjMwMTExNDla\n" +
+        "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
+        "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVOqnlZspyAEr90ELFaUo8\n" +
+        "BF0O2Kn0yTdUeyiLOth4RA3qxWrjxJq45VmEBjZpEzPHfnp3PhnfmLcLfhoPONFg\n" +
+        "bcHzlkj75ZaKCgHoyV456fMBmj348fcoUkH2WdSQ82pmxHOiHqquYNUSTimFIq82\n" +
+        "AayhbKqDmhfx5lJdYNqd5QIDAQABo4GJMIGGMB0GA1UdDgQWBBTfWD9mRTppcUAl\n" +
+        "UqGuu/R5t8CB5jBHBgNVHSMEQDA+gBSDgrB3juF01AGnyCtmxEnle+G/EKEjpCEw\n" +
+        "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
+        "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQECBQADQQBHok1v6xymtpB7N9xy\n" +
+        "0OmDT27uhmzlP0eOzJvXVxj3Oi9TLQJgCUJ9122MzfRAs1E1uJTtvuu+UmI80NQx\n" +
+        "KQdp\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath(String certStr)
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(certStr.getBytes());
+        Certificate cert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {cert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        HashSet<TrustAnchor> anchors = new HashSet<TrustAnchor>();
+
+        ByteArrayInputStream is =
+            new ByteArrayInputStream(trustAnchor_SHA1withRSA_1024.getBytes());
+        Certificate cert = cf.generateCertificate(is);
+        TrustAnchor anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        is = new ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes());
+        cert = cf.generateCertificate(is);
+        anchor = new TrustAnchor((X509Certificate)cert, null);
+        anchors.add(anchor);
+
+        return anchors;
+    }
+
+    public static void main(String args[]) throws Exception {
+        try {
+            validate(intermediate_SHA1withRSA_1024_1024);
+            validate(intermediate_SHA1withRSA_1024_512);
+            validate(intermediate_SHA1withRSA_512_1024);
+            validate(intermediate_SHA1withRSA_512_512);
+        } catch (CertPathValidatorException cpve) {
+            throw new Exception(
+                "unexpect exception, it is valid cert", cpve);
+        }
+
+        try {
+            validate(intermediate_MD2withRSA_1024_1024);
+            throw new Exception("expected algorithm disabled exception");
+        } catch (CertPathValidatorException cpve) {
+            System.out.println("Get the expected exception " + cpve);
+        }
+
+        try {
+            validate(intermediate_MD2withRSA_1024_512);
+            throw new Exception("expected algorithm disabled exception");
+        } catch (CertPathValidatorException cpve) {
+            System.out.println("Get the expected exception " + cpve);
+        }
+    }
+
+    private static void validate(String intermediate)
+            throws CertPathValidatorException, Exception {
+
+        CertPath path = generateCertificatePath(intermediate);
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 9, 1));   // 2009-09-01
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        validator.validate(path, params);
+    }
+
+}

test/sun/security/provider/certpath/DisabledAlgorithms/CPValidatorTrustAnchor.java

+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ *
+ * @bug 6861062
+ * @summary Disable MD2 support
+ *
+ * @author Xuelei Fan
+ */
+
+import java.io.*;
+import java.net.SocketException;
+import java.util.*;
+import java.security.Security;
+import java.security.cert.*;
+
+public class CPValidatorTrustAnchor {
+
+    static String selfSignedCertStr = null;
+
+    // SHA1withRSA 1024
+    static String trustAnchor_SHA1withRSA_1024 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQC8UdC863pFk1Rvd7xUYd60+e9KsLhb6SqOfU42ZA715FcH\n" +
+        "E1TRvQPmYzAnHcO04TrWZQtO6E+E2RCmeBnetBvIMVka688QkO14wnrIrf2tRodd\n" +
+        "rZNZEBzkX+zyXCRo9tKEUDFf9Qze7Ilbb+Zzm9CUfu4M1Oz6iQcXRx7aM0jEAQID\n" +
+        "AQABo4GJMIGGMB0GA1UdDgQWBBTn0C+xmZY/BTab4W9gBp3dGa7WgjBHBgNVHSME\n" +
+        "QDA+gBTn0C+xmZY/BTab4W9gBp3dGa7WgqEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
+        "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
+        "DQYJKoZIhvcNAQEFBQADgYEAiCXL2Yp4ruyRXAIJ8zBEaPC9oV2agqgbSbly2z8z\n" +
+        "Ik5SeSRysP+GHBpb8uNyANJnQKv+T0GrJiTLMBjKCOiJl6xzk3EZ2wbQB6G/SQ9+\n" +
+        "UWcsXSC8oGSEPpkj5In/9/UbuUIfT9H8jmdyLNKQvlqgq6kyfnskME7ptGgT95Hc\n" +
+        "tas=\n" +
+        "-----END CERTIFICATE-----";
+
+    // SHA1withRSA 512
+    static String trustAnchor_SHA1withRSA_512 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBuTCCAWOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDRaFw0zMDA3MTcwMTExNDRa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMFwwDQYJKoZIhvcNAQEB\n" +
+        "BQADSwAwSAJBAM0Kn4ieCdCHsrm78ZMMN4jQEEEqACAMKB7O8j9g4gfz2oAfmHwv\n" +
+        "7JH/hZ0Xen1zUmBbwe+e2J5D/4Fisp9Bn98CAwEAAaOBiTCBhjAdBgNVHQ4EFgQU\n" +
+        "g4Kwd47hdNQBp8grZsRJ5XvhvxAwRwYDVR0jBEAwPoAUg4Kwd47hdNQBp8grZsRJ\n" +
+        "5XvhvxChI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMA8G\n" +
+        "A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA0EAn77b\n" +
+        "FJx+HvyRvjZYCzMjnUct3Ql4iLOkURYDh93J5TXi/l9ajvAMEuwzYj0qZ+Ktm/ia\n" +
+        "U5r+8B9nzx+j2Zh3kw==\n" +
+        "-----END CERTIFICATE-----";
+
+    // MD2withRSA 2048
+    static String trustAnchor_MD2withRSA_2048 =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIDQzCCAiugAwIBAgIBADANBgkqhkiG9w0BAQIFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA4MDYwMTExNDdaFw0zMDA3MTcwMTExNDda\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIIBIjANBgkqhkiG9w0B\n" +
+        "AQEFAAOCAQ8AMIIBCgKCAQEArF5pINc5s+aUlmdYlxtAQ3V4TXFnP/XOYHxjfLuX\n" +
+        "eKO/kh78LMvbDisTPQ2yo9YEawwwbUU40xcuzgi0axXgKveHXYdUmTr0hEapq3rv\n" +
+        "g/q2EbOjyXvq4qK2RDoVCN8R3wXiytnY2OFALTx6zc2tW4imJ20svdNVtWhv2syj\n" +
+        "ZTmmRXAeFUbD4qKWAFij0I6pnSgVssvWzeyJUNemym+oiYyaSd7n5j1RNAqUKioo\n" +
+        "K/T0FOOiuPGMqottgx5YRHa6yapCP5QVWRQ+WBIYJY3Wyq7N+Es20LT6761Pk3to\n" +
+        "EFCzM7+zqT/c+pC079HOKXz+m2us+HKp5BKWNnbvgaYPOQIDAQABo4GJMIGGMB0G\n" +
+        "A1UdDgQWBBSrSukJf+mO5LTRasAGD9RRs7SASTBHBgNVHSMEQDA+gBSrSukJf+mO\n" +
+        "5LTRasAGD9RRs7SASaEjpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1w\n" +
+        "bGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEC\n" +
+        "BQADggEBAHvsv+DqMJeIW/D+ltkhw37OdMzkMPp4E6Hbp03O3GZ5LfNGczHCb2uL\n" +
+        "sr5T7e/jaBFn6QfmqbOAYAHJSNq2bNNtTbatnHBLuVx13cfxmwk89Cg/tFeoUdcf\n" +
+        "m5hzurB6Ub6SsYMOxZHUYp/KxM9x9a7llC1bK3SKXwd4rVDlXh8DOBvdQNr5Q3yq\n" +
+        "JjY86bSXO14VzNxL/1rqHiszQdPyR/28SBsQVYSi0Zeyc4Yy1ui/cXu1+PWYw3YZ\n" +
+        "QUPHTnkVdPGwRiUqeZIcps+q+ePlQQmDu5qiLD6d8gsyGyY/RvCHWKO5Y9DuX9hs\n" +
+        "he/AhCWQx+TQYGLu0liQqLkGZydyRnA=\n" +
+        "-----END CERTIFICATE-----";
+
+    private static CertPath generateCertificatePath()
+            throws CertificateException {
+        // generate certificate from cert strings
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is;
+
+        is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate certification path
+        List<Certificate> list = Arrays.asList(new Certificate[] {
+                        selfSignedCert});
+
+        return cf.generateCertPath(list);
+    }
+
+    private static Set<TrustAnchor> generateTrustAnchors()
+            throws CertificateException {
+        // generate certificate from cert string
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        ByteArrayInputStream is =
+                    new ByteArrayInputStream(selfSignedCertStr.getBytes());
+        Certificate selfSignedCert = cf.generateCertificate(is);
+
+        // generate a trust anchor
+        TrustAnchor anchor =
+            new TrustAnchor((X509Certificate)selfSignedCert, null);
+
+        return Collections.singleton(anchor);
+    }
+
+    public static void main(String args[]) throws Exception {
+        try {
+            validate(trustAnchor_SHA1withRSA_1024);
+            validate(trustAnchor_SHA1withRSA_512);
+        } catch (CertPathValidatorException cpve) {
+            throw new Exception(
+                "unexpect exception, it is valid cert", cpve);
+        }
+
+        try {
+            validate(trustAnchor_MD2withRSA_2048);
+            throw new Exception("expected algorithm disabled exception");
+        } catch (CertPathValidatorException cpve) {
+            System.out.println("Get the expected exception " + cpve);
+        }
+    }
+
+    private static void validate(String trustAnchor)
+            throws CertPathValidatorException, Exception {
+        selfSignedCertStr = trustAnchor;
+
+        CertPath path = generateCertificatePath();
+        Set<TrustAnchor> anchors = generateTrustAnchors();
+
+        PKIXParameters params = new PKIXParameters(anchors);
+
+        // disable certificate revocation checking
+        params.setRevocationEnabled(false);
+
+        // set the validation time
+        params.setDate(new Date(109, 9, 1));   // 2009-09-01
+
+        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
+
+        validator.validate(path, params);
+    }
+
+}

test/sun/security/provider/certpath/DisabledAlgorithms/generate.sh

+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#!/bin/ksh
+#
+# needs ksh to run the script.
+set -e
+
+OPENSSL=openssl
+
+# generate a self-signed root certificate
+if [ ! -f root/finished ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    # SHA1withRSA 1024
+    ${OPENSSL} req -x509 -newkey rsa:1024 -keyout root/root_key_1024.pem \
+        -out root/root_cert_sha1_1024.pem -subj "/C=US/O=Example" \
+        -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    # SHA1withRSA 512
+    ${OPENSSL} req -x509 -newkey rsa:512 -keyout root/root_key_512.pem \
+        -out root/root_cert_sha1_512.pem -subj "/C=US/O=Example" \
+        -config openssl.cnf -reqexts cert_issuer -days 7650 -sha1 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    # MD2withRSA 2048
+    ${OPENSSL} req -x509 -newkey rsa:2048 -keyout root/root_key_2048.pem \
+        -out root/root_cert_md2_2048.pem -subj "/C=US/O=Example" \
+        -config openssl.cnf -reqexts cert_issuer -days 7650 -md2 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl req -newkey rsa:1024 -keyout root/root_crlissuer_key.pem \
+        -out root/root_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in root/root_crlissuer_req.pem -extfile openssl.cnf \
+        -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
+        -CAkey root/root_key_1024.pem -out root/root_crlissuer_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+
+    touch root/finished
+fi
+
+
+# generate subca cert issuer
+if [ ! -f subca/finished ]; then
+    if [ ! -d subca ]; then
+        mkdir subca
+    fi
+
+    # RSA 1024
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/subca_key_1024.pem \
+        -out subca/subca_req_1024.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    # RSA 512
+    ${OPENSSL} req -newkey rsa:512 -keyout subca/subca_key_512.pem \
+        -out subca/subca_req_512.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    # SHA1withRSA 1024 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
+        -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_1024_1024.pem \
+        -CAcreateserial -sha1 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 1024 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
+        -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_1024_512.pem \
+        -CAcreateserial -sha1 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 512 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
+        -CAkey root/root_key_1024.pem -out subca/subca_cert_sha1_512_1024.pem \
+        -CAcreateserial -sha1 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 512 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/subca_req_512.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
+        -CAkey root/root_key_512.pem -out subca/subca_cert_sha1_512_512.pem \
+        -CAcreateserial -sha1 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    # MD2withRSA 1024 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_1024.pem \
+        -CAkey root/root_key_1024.pem -out subca/subca_cert_md2_1024_1024.pem \
+        -CAcreateserial -md2 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    # MD2withRSA 1024 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/subca_req_1024.pem -extfile openssl.cnf \
+        -extensions cert_issuer -CA root/root_cert_sha1_512.pem \
+        -CAkey root/root_key_512.pem -out subca/subca_cert_md2_1024_512.pem \
+        -CAcreateserial -md2 \
+        -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
+
+    openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
+        -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
+        -days 7650 -passin pass:passphrase -passout pass:passphrase
+
+    openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
+        -extensions crl_issuer -CA root/root_cert_sha1_1024.pem \
+        -CAkey root/root_key_1024.pem -out subca/subca_crlissuer_cert.pem \
+        -CAcreateserial -CAserial root/root_cert.srl -days 7200 \
+        -passin pass:passphrase
+
+    touch subca/finished
+fi
+
+
+# generate certifiacte for Alice
+if [ ! -f subca/alice/finished ]; then
+    if [ ! -d subca/alice ]; then
+        mkdir -p subca/alice
+    fi
+
+    # RSA 1024
+    ${OPENSSL} req -newkey rsa:1024 -keyout subca/alice/alice_key_1024.pem \
+        -out subca/alice/alice_req_1024.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    # RSA 512
+    ${OPENSSL} req -newkey rsa:512 -keyout subca/alice/alice_key_512.pem \
+        -out subca/alice/alice_req_512.pem \
+        -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
+        -passin pass:passphrase -passout pass:passphrase
+
+    # SHA1withRSA 1024 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_1024_1024.pem \
+        -CAkey subca/subca_key_1024.pem \
+        -out subca/alice/alice_cert_sha1_1024_1024.pem -CAcreateserial -sha1 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 1024 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_512_1024.pem \
+        -CAkey subca/subca_key_512.pem \
+        -out subca/alice/alice_cert_sha1_1024_512.pem -CAcreateserial -sha1 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 512 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_1024_1024.pem \
+        -CAkey subca/subca_key_1024.pem \
+        -out subca/alice/alice_cert_sha1_512_1024.pem -CAcreateserial -sha1 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    # SHA1withRSA 512 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_512.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_512_1024.pem \
+        -CAkey subca/subca_key_512.pem \
+        -out subca/alice/alice_cert_sha1_512_512.pem -CAcreateserial -sha1 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    # MD2withRSA 1024 signed with RSA 1024
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_1024_1024.pem \
+        -CAkey subca/subca_key_1024.pem \
+        -out subca/alice/alice_cert_md2_1024_1024.pem -CAcreateserial -md2 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    # MD2withRSA 1024 signed with RSA 512
+    ${OPENSSL} x509 -req -in subca/alice/alice_req_1024.pem \
+        -extfile openssl.cnf -extensions ee_of_subca \
+        -CA subca/subca_cert_sha1_512_1024.pem \
+        -CAkey subca/subca_key_512.pem \
+        -out subca/alice/alice_cert_md2_1024_512.pem -CAcreateserial -md2 \
+        -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
+
+    touch subca/alice/finished
+fi
+
+if [ ! -f root/revoked ]; then
+    if [ ! -d root ]; then
+        mkdir root
+    fi
+
+    if [ ! -f root/index.txt ]; then
+        touch root/index.txt
+        echo 00 > root/crlnumber
+    fi
+
+    openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 -md sha1 \
+        -crl_reason superseded -keyfile root/root_crlissuer_key.pem \
+        -cert root/root_crlissuer_cert.pem -out root/top_crl.pem \
+        -passin pass:passphrase
+
+    touch root/revoked
+fi
+
+if [ ! -f subca/revoked ]; then
+    if [ ! -d subca ]; then
+        mkdir subca
+    fi
+
+    if [ ! -f subca/index.txt ]; then
+        touch subca/index.txt
+        echo 00 > subca/crlnumber
+    fi
+
+    # revoke alice's SHA1withRSA 1024 signed with RSA 1024
+    openssl ca -revoke subca/alice/alice_cert_sha1_1024_1024.pem \
+        -config openssl.cnf \
+        -name ca_subca -crl_reason superseded \
+        -keyfile subca/subca_crlissuer_key.pem \
+        -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
+
+    openssl ca -gencrl -config openssl.cnf \
+        -name ca_subca -crldays 7000 -md md2 \
+        -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
+        -cert subca/subca_crlissuer_cert.pem \
+        -out subca/subca_crl.pem \
+        -passin pass:passphrase
+
+    touch subca/revoked
+fi

test/sun/security/provider/certpath/DisabledAlgorithms/openssl.cnf

+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Sun designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Sun in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+#
+# OpenSSL configuration file.
+#
+
+HOME                = .
+RANDFILE            = $ENV::HOME/.rnd
+
+[ ca ]
+default_ca          = CA_default
+
+[ CA_default ]
+dir                 = ./top
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_top ]
+dir                 = ./root
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = v3_ca
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ ca_subca ]
+dir                 = ./subca
+certs               = $dir/certs
+crl_dir             = $dir/crl
+database            = $dir/index.txt
+unique_subject      = no
+new_certs_dir       = $dir/newcerts
+
+certificate         = $dir/cacert.pem
+serial              = $dir/serial
+crlnumber           = $dir/crlnumber
+crl                 = $dir/crl.pem
+private_key         = $dir/private/cakey.pem
+RANDFILE            = $dir/private/.rand
+
+x509_extensions     = usr_cert
+
+name_opt            = ca_default
+cert_opt            = ca_default
+
+default_days        = 7650
+default_crl_days    = 30
+default_md          = sha1
+preserve            = no
+
+policy              = policy_anything
+
+[ policy_match ]
+countryName         = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ policy_anything ]
+countryName         = optional
+stateOrProvinceName = optional
+localityName        = optional
+organizationName    = optional
+organizationalUnitName  = optional
+commonName          = supplied
+emailAddress        = optional
+
+[ req ]
+default_bits        = 1024
+default_keyfile     = privkey.pem
+distinguished_name  = req_distinguished_name
+attributes          = req_attributes
+x509_extensions     = v3_ca
+
+string_mask = nombstr
+
+[ req_distinguished_name ]
+countryName         = Country Name (2 letter code)
+countryName_default = NO
+countryName_min     = 2
+countryName_max     = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default  = A-State
+
+localityName        = Locality Name (eg, city)
+
+0.organizationName  = Organization Name (eg, company)
+0.organizationName_default   = Internet Widgits Pty Ltd
+
+organizationalUnitName       = Organizational Unit Name (eg, section)
+
+commonName              = Common Name (eg, YOUR name)
+commonName_max          = 64
+
+emailAddress            = Email Address
+emailAddress_max        = 64
+
+[ req_attributes ]
+challengePassword       = A challenge password
+challengePassword_min   = 4
+challengePassword_max   = 20
+unstructuredName        = An optional company name
+
+
+[ usr_cert ]
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer
+
+[ v3_req ]
+basicConstraints        = CA:FALSE
+keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName          = email:example@openjdk.net, RID:1.2.3.4:true
+
+[ v3_ca ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+
+[ cert_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+basicConstraints        = critical,CA:true
+keyUsage                = keyCertSign
+
+
+[ crl_issuer ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer:always
+keyUsage                = cRLSign
+
+
+[ crl_ext ]
+authorityKeyIdentifier  = keyid:always,issuer:always
+
+[ ee_of_subca ]
+keyUsage    = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
+
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid,issuer