diff --git a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java index 51c05f2a6c54be667fdb44b3102ab3a18d98ad18..34f26f64a0f4893bae02665aab4d0898d50dacff 100644 --- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java +++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java @@ -339,6 +339,16 @@ class DistributionPointFetcher { debug.println("crl issuer does not equal cert issuer"); } return false; + } else { + // in case of self-issued indirect CRL issuer. + byte[] certAKID = certImpl.getExtensionValue( + PKIXExtensions.AuthorityKey_Id.toString()); + byte[] crlAKID = crlImpl.getExtensionValue( + PKIXExtensions.AuthorityKey_Id.toString()); + + if (!Arrays.equals(certAKID, crlAKID)) { + indirectCRL = true; + } } if (!indirectCRL && !signFlag) { diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java new file mode 100644 index 0000000000000000000000000000000000000000..e058413198b9716e35eb0acee550a8352c21e6b2 --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java @@ -0,0 +1,193 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLOneLevel { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + static String targetCertStr = subCaCertStr; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String crlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(crlStr.getBytes()); + + // generate a cert store + Collection crls = cf.generateCRLs(is); + + is = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + Collection certs = cf.generateCertificates(is); + + Collection entries = new HashSet(); + entries.addAll(crls); + entries.addAll(certs); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java new file mode 100644 index 0000000000000000000000000000000000000000..40ec3d09f8f6640642f2208862427d86d3de2ab6 --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java @@ -0,0 +1,196 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLOneLevelRevoked { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String dumCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" + + "0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" + + "bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" + + "f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" + + "/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" + + "EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" + + "TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" + + "mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" + + "-----END CERTIFICATE-----"; + + // a revoked certificate + static String targetCertStr = dumCaCertStr; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String crlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(crlStr.getBytes()); + + // generate a cert store + Collection crls = cf.generateCRLs(is); + + is = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + Collection certs = cf.generateCertificates(is); + + Collection entries = new HashSet(); + entries.addAll(crls); + entries.addAll(certs); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + throw new Exception("unexpected status, should be REVOKED"); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpected exception, should be a REVOKED CPVE", cpve); + } + } + + } +} diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java new file mode 100644 index 0000000000000000000000000000000000000000..99705da57b6daa95fad000658be4c97dfb2ed647 --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java @@ -0,0 +1,245 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLTwoLevel { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + + "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" + + "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" + + "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" + + "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" + + "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + + "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" + + "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" + + "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + + "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + + "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + + "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + + "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + + "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + + "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + + "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + + "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + + "rg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + + "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + + "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + + "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + + "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + Certificate subCaCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, subCaCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + // intermediate certs + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java new file mode 100644 index 0000000000000000000000000000000000000000..c132b995c312c1d71b213224813280741858e9dc --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java @@ -0,0 +1,247 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLTwoLevelRevoked { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + // a revoked certificate + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + + "MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n" + + "1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n" + + "+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n" + + "FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n" + + "tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + + "9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n" + + "5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n" + + "tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + + "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + + "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + + "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + + "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + + "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + + "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + + "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + + "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + + "rg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + + "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + + "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + + "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + + "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + Certificate subCaCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, subCaCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + // intermediate certs + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + throw new Exception("unexpected status, should be REVOKED"); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/README b/test/java/security/cert/CertPathValidator/indirectCRL/README new file mode 100644 index 0000000000000000000000000000000000000000..5cd8587d66bcd4585243308b819fdd5f91432bcb --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/README @@ -0,0 +1,373 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + + Certificates and CRLs + +Here lists the Certificates and CRLs, which was generated by generate.sh, +used in the test cases. + +The generate.sh depends on openssl, and it should be run under ksh. The +script will create many directories and files, please run it in a +directory outside of JDK workspace. + +1. root certifiate and key +-----BEGIN CERTIFICATE----- +MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ +Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n +jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID +AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME +QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO +BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw +DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0 +484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye +iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz +Vjw= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,407A749DF8F6338E + +4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8 +0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b +WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E +AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu +UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI +b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/ +holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX +JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY +xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11 +pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6 +yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX +NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75 +yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw== +-----END RSA PRIVATE KEY----- + +2. root crl issuer and key +-----BEGIN CERTIFICATE----- +MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC +SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ +atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID +AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw +PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD +VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY +eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP +FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck +uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4 + +cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0 +KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R +gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0 +ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO +f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a +Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN +S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW +moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/ +0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn +2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV +ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8 +iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3 +18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k= +-----END RSA PRIVATE KEY----- + +3. root CRL issued by root crl issuer. +-----BEGIN X509 CRL----- +MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX +DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ +KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY +CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg +oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54= +-----END X509 CRL----- + +4. subca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj +8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG +Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8 +P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr +IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj +UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF +hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ +7cXP6VDeZMG6oRQ4hbOcixoFPXo= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0 + +8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY +HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp +8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t +UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5 +UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s +D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB +Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW +jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn +aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U +bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If +A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ +kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk +uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA== +-----END RSA PRIVATE KEY----- + +5. crl issuer of subca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd +LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N +4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm +6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60 +jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x +CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN +BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX +QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3 +bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M +rg== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3 + +KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ +4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H +CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ +Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS +4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc +KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap ++ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee +5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo +lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m +2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB +4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144 +UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua +oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ== +-----END RSA PRIVATE KEY----- + +6. CLR issued by subca CRL issuer +-----BEGIN X509 CRL----- +MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw +NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO +MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr +aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX +nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa +ARGr6Qu68MYGtLMC6ZqP3u0= +-----END X509 CRL----- + +7. dumca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc +0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W +bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4 +f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL +/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05 +EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp +TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs +mihnXyZWWTA1sPZlVJu7/abJ2v0= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3 + +KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f +afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi +VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK +7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU +6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh +Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn +nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ +IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o +6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl +NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv +iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp +q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0 +nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A== +-----END RSA PRIVATE KEY----- + +8. crl issuer for dumca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv +s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn +edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2 +AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY +sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x +CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN +BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm +2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi +SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6 +5g== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5 + +V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j +3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4 +LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw +ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M +gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ +OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y +ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2 +kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2 +1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c +skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx +3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC +a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV +dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA== +-----END RSA PRIVATE KEY----- + +9. end entity certificate issued by subca, Alice +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK +ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2 +V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/ +pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE +4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG +9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR +wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3 +Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,3616B3F098ED6707 + +uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y +tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr +zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO +Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP +PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy +3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c +5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK +fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ +Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT +dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn +fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx +jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI +F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ= +-----END RSA PRIVATE KEY----- + +10. end entity certificate issued by subca, Bob +-----BEGIN CERTIFICATE----- +MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll ++utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u +txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT +AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR +rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN +AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi +C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob +N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72 + +cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12 +ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC +5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T +yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF +S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV +wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu +2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB +nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1 +yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr +gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp +TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn +XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3 +/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g== +-----END RSA PRIVATE KEY----- + +10. end entity certificate issued by subca, Susan +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR +1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ ++rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo +FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is +tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG +9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f +5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi +tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A + +YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ +5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm +ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O +7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f +P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0 +KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY +BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz +AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V +cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb +47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C +ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA +fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI +TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg== +-----END RSA PRIVATE KEY----- + diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh b/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh new file mode 100644 index 0000000000000000000000000000000000000000..06429d63ffadb0140a3536db0c7d69ca2692b8a5 --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh @@ -0,0 +1,221 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Sun designates this +# particular file as subject to the "Classpath" exception as provided +# by Sun in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +#!/bin/ksh +# +# needs ksh to run the script. + +# generate a self-signed root certificate +if [ ! -f root/root_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \ + -out root/root_cert.pem -subj "/C=US/O=Example" \ + -config openssl.cnf -reqexts cert_issuer -days 7650 \ + -passin pass:passphrase -passout pass:passphrase +fi + +# generate a sele-issued root crl issuer certificate +if [ ! -f root/top_crlissuer_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \ + -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate subca cert issuer and crl iuuser certificates +if [ ! -f subca/subca_cert.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \ + -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \ + -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ + -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate dumca cert issuer and crl iuuser certificates +if [ ! -f dumca/dumca_cert.pem ]; then + if [ ! -d sumca ]; then + mkdir dumca + fi + + openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \ + -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \ + -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_crlissuer_req.pem \ + -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate certifiacte for Alice +if [ ! -f subca/alice/alice_cert.pem ]; then + if [ ! -d subca/alice ]; then + mkdir -p subca/alice + fi + + openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \ + -out subca/alice/alice_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/alice/alice_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/alice/alice_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Bob +if [ ! -f subca/bob/bob_cert.pem ]; then + if [ ! -d subca/bob ]; then + mkdir -p subca/bob + fi + + openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \ + -out subca/bob/bob_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/bob/bob_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/bob/bob_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Susan +if [ ! -f subca/susan/susan_cert.pem ]; then + if [ ! -d subca/susan ]; then + mkdir -p subca/susan + fi + + openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \ + -out subca/susan/susan_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \ + -extensions ee_of_subca -CA subca/subca_cert.pem \ + -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \ + -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \ + -passin pass:passphrase +fi + + +# generate the top CRL +if [ ! -f root/top_crl.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + if [ ! -f root/index.txt ]; then + touch root/index.txt + echo 00 > root/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase +fi + +# revoke dumca +openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \ + -name ca_top -crl_reason superseded \ + -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \ + -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase + +# revoke for subca +if [ ! -f subca/subca_crl.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + if [ ! -f subca/index.txt ]; then + touch subca/index.txt + echo 00 > subca/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase +fi + +# revoke susan +openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \ + -name ca_subca -crl_reason superseded \ + -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase diff --git a/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf b/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf new file mode 100644 index 0000000000000000000000000000000000000000..5a090f05f3a806f515646fb6842aabade30d5600 --- /dev/null +++ b/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf @@ -0,0 +1,206 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Sun designates this +# particular file as subject to the "Classpath" exception as provided +# by Sun in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +# +# OpenSSL configuration file. +# + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./top +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_top ] +dir = ./root +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_subca ] +dir = ./subca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts + +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca + +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = NO +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = A-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + + +[ usr_cert ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign + +[ cert_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign + + +[ crl_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign + + +[ crl_ext ] +authorityKeyIdentifier = keyid:always,issuer:always + +[ ee_of_subca ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer