Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
be9ef9fd
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
be9ef9fd
编写于
5月 26, 2009
作者:
X
xuelei
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6720721: CRL check with circular depency support needed
Summary: checking AKID of certificates and CRLs Reviewed-by: mullan, weijun
上级
c6577e43
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
1691 addition
and
0 deletion
+1691
-0
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
.../security/provider/certpath/DistributionPointFetcher.java
+10
-0
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java
...rt/CertPathValidator/indirectCRL/CircularCRLOneLevel.java
+193
-0
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java
...PathValidator/indirectCRL/CircularCRLOneLevelRevoked.java
+196
-0
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java
...rt/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java
+245
-0
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java
...PathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java
+247
-0
test/java/security/cert/CertPathValidator/indirectCRL/README
test/java/security/cert/CertPathValidator/indirectCRL/README
+373
-0
test/java/security/cert/CertPathValidator/indirectCRL/generate.sh
...a/security/cert/CertPathValidator/indirectCRL/generate.sh
+221
-0
test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf
...a/security/cert/CertPathValidator/indirectCRL/openssl.cnf
+206
-0
未找到文件。
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
浏览文件 @
be9ef9fd
...
@@ -339,6 +339,16 @@ class DistributionPointFetcher {
...
@@ -339,6 +339,16 @@ class DistributionPointFetcher {
debug
.
println
(
"crl issuer does not equal cert issuer"
);
debug
.
println
(
"crl issuer does not equal cert issuer"
);
}
}
return
false
;
return
false
;
}
else
{
// in case of self-issued indirect CRL issuer.
byte
[]
certAKID
=
certImpl
.
getExtensionValue
(
PKIXExtensions
.
AuthorityKey_Id
.
toString
());
byte
[]
crlAKID
=
crlImpl
.
getExtensionValue
(
PKIXExtensions
.
AuthorityKey_Id
.
toString
());
if
(!
Arrays
.
equals
(
certAKID
,
crlAKID
))
{
indirectCRL
=
true
;
}
}
}
if
(!
indirectCRL
&&
!
signFlag
)
{
if
(!
indirectCRL
&&
!
signFlag
)
{
...
...
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java
0 → 100644
浏览文件 @
be9ef9fd
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import
java.io.*
;
import
java.net.SocketException
;
import
java.util.*
;
import
java.security.Security
;
import
java.security.cert.*
;
import
java.security.cert.CertPathValidatorException.BasicReason
;
public
class
CircularCRLOneLevel
{
static
String
selfSignedCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n"
+
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n"
+
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n"
+
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n"
+
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n"
+
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n"
+
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n"
+
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n"
+
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n"
+
"Vjw=\n"
+
"-----END CERTIFICATE-----"
;
static
String
subCaCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n"
+
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n"
+
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n"
+
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n"
+
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n"
+
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n"
+
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n"
+
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n"
+
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n"
+
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n"
+
"-----END CERTIFICATE-----"
;
static
String
targetCertStr
=
subCaCertStr
;
static
String
crlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n"
+
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n"
+
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n"
+
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n"
+
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n"
+
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n"
+
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n"
+
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n"
+
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n"
+
"-----END CERTIFICATE-----"
;
static
String
crlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n"
+
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n"
+
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n"
+
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n"
+
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n"
+
"-----END X509 CRL-----"
;
private
static
CertPath
generateCertificatePath
()
throws
CertificateException
{
// generate certificate from cert strings
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
;
is
=
new
ByteArrayInputStream
(
targetCertStr
.
getBytes
());
Certificate
targetCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate certification path
List
<
Certificate
>
list
=
Arrays
.
asList
(
new
Certificate
[]
{
targetCert
,
selfSignedCert
});
return
cf
.
generateCertPath
(
list
);
}
private
static
Set
<
TrustAnchor
>
generateTrustAnchors
()
throws
CertificateException
{
// generate certificate from cert string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate a trust anchor
TrustAnchor
anchor
=
new
TrustAnchor
((
X509Certificate
)
selfSignedCert
,
null
);
return
Collections
.
singleton
(
anchor
);
}
private
static
CertStore
generateCertificateStore
()
throws
Exception
{
// generate CRL from CRL string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
crlStr
.
getBytes
());
// generate a cert store
Collection
crls
=
cf
.
generateCRLs
(
is
);
is
=
new
ByteArrayInputStream
(
crlIssuerCertStr
.
getBytes
());
Collection
certs
=
cf
.
generateCertificates
(
is
);
Collection
entries
=
new
HashSet
();
entries
.
addAll
(
crls
);
entries
.
addAll
(
certs
);
return
CertStore
.
getInstance
(
"Collection"
,
new
CollectionCertStoreParameters
(
entries
));
}
public
static
void
main
(
String
args
[])
throws
Exception
{
CertPath
path
=
generateCertificatePath
();
Set
<
TrustAnchor
>
anchors
=
generateTrustAnchors
();
CertStore
crls
=
generateCertificateStore
();
PKIXParameters
params
=
new
PKIXParameters
(
anchors
);
// add the CRL store
params
.
addCertStore
(
crls
);
// Activate certificate revocation checking
params
.
setRevocationEnabled
(
true
);
// set the validation time
params
.
setDate
(
new
Date
(
109
,
5
,
1
));
// 2009-05-01
// disable OCSP checker
Security
.
setProperty
(
"ocsp.enable"
,
"false"
);
// enable CRL checker
System
.
setProperty
(
"com.sun.security.enableCRLDP"
,
"true"
);
CertPathValidator
validator
=
CertPathValidator
.
getInstance
(
"PKIX"
);
try
{
validator
.
validate
(
path
,
params
);
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
cpve
.
getReason
()
!=
BasicReason
.
REVOKED
)
{
throw
new
Exception
(
"unexpect exception, should be a REVOKED CPVE"
,
cpve
);
}
}
}
}
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java
0 → 100644
浏览文件 @
be9ef9fd
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import
java.io.*
;
import
java.net.SocketException
;
import
java.util.*
;
import
java.security.Security
;
import
java.security.cert.*
;
import
java.security.cert.CertPathValidatorException.BasicReason
;
public
class
CircularCRLOneLevelRevoked
{
static
String
selfSignedCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n"
+
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n"
+
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n"
+
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n"
+
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n"
+
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n"
+
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n"
+
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n"
+
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n"
+
"Vjw=\n"
+
"-----END CERTIFICATE-----"
;
static
String
dumCaCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n"
+
"0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n"
+
"bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n"
+
"f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n"
+
"/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n"
+
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n"
+
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n"
+
"EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n"
+
"TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n"
+
"mihnXyZWWTA1sPZlVJu7/abJ2v0=\n"
+
"-----END CERTIFICATE-----"
;
// a revoked certificate
static
String
targetCertStr
=
dumCaCertStr
;
static
String
crlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n"
+
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n"
+
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n"
+
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n"
+
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n"
+
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n"
+
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n"
+
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n"
+
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n"
+
"-----END CERTIFICATE-----"
;
static
String
crlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n"
+
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n"
+
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n"
+
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n"
+
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n"
+
"-----END X509 CRL-----"
;
private
static
CertPath
generateCertificatePath
()
throws
CertificateException
{
// generate certificate from cert strings
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
;
is
=
new
ByteArrayInputStream
(
targetCertStr
.
getBytes
());
Certificate
targetCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate certification path
List
<
Certificate
>
list
=
Arrays
.
asList
(
new
Certificate
[]
{
targetCert
,
selfSignedCert
});
return
cf
.
generateCertPath
(
list
);
}
private
static
Set
<
TrustAnchor
>
generateTrustAnchors
()
throws
CertificateException
{
// generate certificate from cert string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate a trust anchor
TrustAnchor
anchor
=
new
TrustAnchor
((
X509Certificate
)
selfSignedCert
,
null
);
return
Collections
.
singleton
(
anchor
);
}
private
static
CertStore
generateCertificateStore
()
throws
Exception
{
// generate CRL from CRL string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
crlStr
.
getBytes
());
// generate a cert store
Collection
crls
=
cf
.
generateCRLs
(
is
);
is
=
new
ByteArrayInputStream
(
crlIssuerCertStr
.
getBytes
());
Collection
certs
=
cf
.
generateCertificates
(
is
);
Collection
entries
=
new
HashSet
();
entries
.
addAll
(
crls
);
entries
.
addAll
(
certs
);
return
CertStore
.
getInstance
(
"Collection"
,
new
CollectionCertStoreParameters
(
entries
));
}
public
static
void
main
(
String
args
[])
throws
Exception
{
CertPath
path
=
generateCertificatePath
();
Set
<
TrustAnchor
>
anchors
=
generateTrustAnchors
();
CertStore
crls
=
generateCertificateStore
();
PKIXParameters
params
=
new
PKIXParameters
(
anchors
);
// add the CRL store
params
.
addCertStore
(
crls
);
// Activate certificate revocation checking
params
.
setRevocationEnabled
(
true
);
// set the validation time
params
.
setDate
(
new
Date
(
109
,
5
,
1
));
// 2009-05-01
// disable OCSP checker
Security
.
setProperty
(
"ocsp.enable"
,
"false"
);
// enable CRL checker
System
.
setProperty
(
"com.sun.security.enableCRLDP"
,
"true"
);
CertPathValidator
validator
=
CertPathValidator
.
getInstance
(
"PKIX"
);
try
{
validator
.
validate
(
path
,
params
);
throw
new
Exception
(
"unexpected status, should be REVOKED"
);
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
cpve
.
getReason
()
!=
BasicReason
.
REVOKED
)
{
throw
new
Exception
(
"unexpected exception, should be a REVOKED CPVE"
,
cpve
);
}
}
}
}
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java
0 → 100644
浏览文件 @
be9ef9fd
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import
java.io.*
;
import
java.net.SocketException
;
import
java.util.*
;
import
java.security.Security
;
import
java.security.cert.*
;
import
java.security.cert.CertPathValidatorException.BasicReason
;
public
class
CircularCRLTwoLevel
{
static
String
selfSignedCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n"
+
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n"
+
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n"
+
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n"
+
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n"
+
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n"
+
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n"
+
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n"
+
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n"
+
"Vjw=\n"
+
"-----END CERTIFICATE-----"
;
static
String
subCaCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n"
+
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n"
+
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n"
+
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n"
+
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n"
+
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n"
+
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n"
+
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n"
+
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n"
+
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n"
+
"-----END CERTIFICATE-----"
;
static
String
targetCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n"
+
"MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n"
+
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n"
+
"9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n"
+
"ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n"
+
"V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n"
+
"pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n"
+
"4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n"
+
"9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n"
+
"wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n"
+
"Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n"
+
"-----END CERTIFICATE-----"
;
static
String
topCrlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n"
+
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n"
+
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n"
+
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n"
+
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n"
+
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n"
+
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n"
+
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n"
+
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n"
+
"-----END CERTIFICATE-----"
;
static
String
subCrlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n"
+
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n"
+
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n"
+
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n"
+
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n"
+
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n"
+
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n"
+
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n"
+
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n"
+
"rg==\n"
+
"-----END CERTIFICATE-----"
;
static
String
topCrlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n"
+
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n"
+
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n"
+
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n"
+
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n"
+
"-----END X509 CRL-----"
;
static
String
subCrlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n"
+
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n"
+
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n"
+
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n"
+
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n"
+
"ARGr6Qu68MYGtLMC6ZqP3u0=\n"
+
"-----END X509 CRL-----"
;
private
static
CertPath
generateCertificatePath
()
throws
CertificateException
{
// generate certificate from cert strings
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
;
is
=
new
ByteArrayInputStream
(
targetCertStr
.
getBytes
());
Certificate
targetCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
subCaCertStr
.
getBytes
());
Certificate
subCaCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate certification path
List
<
Certificate
>
list
=
Arrays
.
asList
(
new
Certificate
[]
{
targetCert
,
subCaCert
,
selfSignedCert
});
return
cf
.
generateCertPath
(
list
);
}
private
static
Set
<
TrustAnchor
>
generateTrustAnchors
()
throws
CertificateException
{
// generate certificate from cert string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate a trust anchor
TrustAnchor
anchor
=
new
TrustAnchor
((
X509Certificate
)
selfSignedCert
,
null
);
return
Collections
.
singleton
(
anchor
);
}
private
static
CertStore
generateCertificateStore
()
throws
Exception
{
Collection
entries
=
new
HashSet
();
// generate CRL from CRL string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
topCrlStr
.
getBytes
());
Collection
mixes
=
cf
.
generateCRLs
(
is
);
entries
.
addAll
(
mixes
);
is
=
new
ByteArrayInputStream
(
subCrlStr
.
getBytes
());
mixes
=
cf
.
generateCRLs
(
is
);
entries
.
addAll
(
mixes
);
// intermediate certs
is
=
new
ByteArrayInputStream
(
topCrlIssuerCertStr
.
getBytes
());
mixes
=
cf
.
generateCertificates
(
is
);
entries
.
addAll
(
mixes
);
is
=
new
ByteArrayInputStream
(
subCrlIssuerCertStr
.
getBytes
());
mixes
=
cf
.
generateCertificates
(
is
);
entries
.
addAll
(
mixes
);
return
CertStore
.
getInstance
(
"Collection"
,
new
CollectionCertStoreParameters
(
entries
));
}
public
static
void
main
(
String
args
[])
throws
Exception
{
CertPath
path
=
generateCertificatePath
();
Set
<
TrustAnchor
>
anchors
=
generateTrustAnchors
();
CertStore
crls
=
generateCertificateStore
();
PKIXParameters
params
=
new
PKIXParameters
(
anchors
);
// add the CRL store
params
.
addCertStore
(
crls
);
// Activate certificate revocation checking
params
.
setRevocationEnabled
(
true
);
// set the validation time
params
.
setDate
(
new
Date
(
109
,
5
,
1
));
// 2009-05-01
// disable OCSP checker
Security
.
setProperty
(
"ocsp.enable"
,
"false"
);
// enable CRL checker
System
.
setProperty
(
"com.sun.security.enableCRLDP"
,
"true"
);
CertPathValidator
validator
=
CertPathValidator
.
getInstance
(
"PKIX"
);
try
{
validator
.
validate
(
path
,
params
);
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
cpve
.
getReason
()
!=
BasicReason
.
REVOKED
)
{
throw
new
Exception
(
"unexpect exception, should be a REVOKED CPVE"
,
cpve
);
}
}
}
}
test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java
0 → 100644
浏览文件 @
be9ef9fd
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
*
* @bug 6720721
* @summary CRL check with circular depency support needed
* @author Xuelei Fan
*/
import
java.io.*
;
import
java.net.SocketException
;
import
java.util.*
;
import
java.security.Security
;
import
java.security.cert.*
;
import
java.security.cert.CertPathValidatorException.BasicReason
;
public
class
CircularCRLTwoLevelRevoked
{
static
String
selfSignedCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n"
+
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n"
+
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n"
+
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n"
+
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n"
+
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n"
+
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n"
+
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n"
+
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n"
+
"Vjw=\n"
+
"-----END CERTIFICATE-----"
;
static
String
subCaCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n"
+
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n"
+
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n"
+
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n"
+
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n"
+
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n"
+
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n"
+
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n"
+
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n"
+
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n"
+
"-----END CERTIFICATE-----"
;
// a revoked certificate
static
String
targetCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n"
+
"MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n"
+
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n"
+
"9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n"
+
"1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n"
+
"+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n"
+
"FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n"
+
"tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n"
+
"9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n"
+
"5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n"
+
"tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n"
+
"-----END CERTIFICATE-----"
;
static
String
topCrlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n"
+
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n"
+
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n"
+
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n"
+
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n"
+
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n"
+
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n"
+
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n"
+
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n"
+
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n"
+
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n"
+
"-----END CERTIFICATE-----"
;
static
String
subCrlIssuerCertStr
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n"
+
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n"
+
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n"
+
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n"
+
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n"
+
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n"
+
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n"
+
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n"
+
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n"
+
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n"
+
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n"
+
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n"
+
"rg==\n"
+
"-----END CERTIFICATE-----"
;
static
String
topCrlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n"
+
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n"
+
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n"
+
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n"
+
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n"
+
"-----END X509 CRL-----"
;
static
String
subCrlStr
=
"-----BEGIN X509 CRL-----\n"
+
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n"
+
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n"
+
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n"
+
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n"
+
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n"
+
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n"
+
"ARGr6Qu68MYGtLMC6ZqP3u0=\n"
+
"-----END X509 CRL-----"
;
private
static
CertPath
generateCertificatePath
()
throws
CertificateException
{
// generate certificate from cert strings
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
;
is
=
new
ByteArrayInputStream
(
targetCertStr
.
getBytes
());
Certificate
targetCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
subCaCertStr
.
getBytes
());
Certificate
subCaCert
=
cf
.
generateCertificate
(
is
);
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate certification path
List
<
Certificate
>
list
=
Arrays
.
asList
(
new
Certificate
[]
{
targetCert
,
subCaCert
,
selfSignedCert
});
return
cf
.
generateCertPath
(
list
);
}
private
static
Set
<
TrustAnchor
>
generateTrustAnchors
()
throws
CertificateException
{
// generate certificate from cert string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
selfSignedCertStr
.
getBytes
());
Certificate
selfSignedCert
=
cf
.
generateCertificate
(
is
);
// generate a trust anchor
TrustAnchor
anchor
=
new
TrustAnchor
((
X509Certificate
)
selfSignedCert
,
null
);
return
Collections
.
singleton
(
anchor
);
}
private
static
CertStore
generateCertificateStore
()
throws
Exception
{
Collection
entries
=
new
HashSet
();
// generate CRL from CRL string
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
ByteArrayInputStream
is
=
new
ByteArrayInputStream
(
topCrlStr
.
getBytes
());
Collection
mixes
=
cf
.
generateCRLs
(
is
);
entries
.
addAll
(
mixes
);
is
=
new
ByteArrayInputStream
(
subCrlStr
.
getBytes
());
mixes
=
cf
.
generateCRLs
(
is
);
entries
.
addAll
(
mixes
);
// intermediate certs
is
=
new
ByteArrayInputStream
(
topCrlIssuerCertStr
.
getBytes
());
mixes
=
cf
.
generateCertificates
(
is
);
entries
.
addAll
(
mixes
);
is
=
new
ByteArrayInputStream
(
subCrlIssuerCertStr
.
getBytes
());
mixes
=
cf
.
generateCertificates
(
is
);
entries
.
addAll
(
mixes
);
return
CertStore
.
getInstance
(
"Collection"
,
new
CollectionCertStoreParameters
(
entries
));
}
public
static
void
main
(
String
args
[])
throws
Exception
{
CertPath
path
=
generateCertificatePath
();
Set
<
TrustAnchor
>
anchors
=
generateTrustAnchors
();
CertStore
crls
=
generateCertificateStore
();
PKIXParameters
params
=
new
PKIXParameters
(
anchors
);
// add the CRL store
params
.
addCertStore
(
crls
);
// Activate certificate revocation checking
params
.
setRevocationEnabled
(
true
);
// set the validation time
params
.
setDate
(
new
Date
(
109
,
5
,
1
));
// 2009-05-01
// disable OCSP checker
Security
.
setProperty
(
"ocsp.enable"
,
"false"
);
// enable CRL checker
System
.
setProperty
(
"com.sun.security.enableCRLDP"
,
"true"
);
CertPathValidator
validator
=
CertPathValidator
.
getInstance
(
"PKIX"
);
try
{
validator
.
validate
(
path
,
params
);
throw
new
Exception
(
"unexpected status, should be REVOKED"
);
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
cpve
.
getReason
()
!=
BasicReason
.
REVOKED
)
{
throw
new
Exception
(
"unexpect exception, should be a REVOKED CPVE"
,
cpve
);
}
}
}
}
test/java/security/cert/CertPathValidator/indirectCRL/README
0 → 100644
浏览文件 @
be9ef9fd
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
Certificates and CRLs
Here lists the Certificates and CRLs, which was generated by generate.sh,
used in the test cases.
The generate.sh depends on openssl, and it should be run under ksh. The
script will create many directories and files, please run it in a
directory outside of JDK workspace.
1. root certifiate and key
-----BEGIN CERTIFICATE-----
MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ
Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n
jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID
AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME
QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw
DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0
484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye
iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz
Vjw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,407A749DF8F6338E
4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8
0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b
WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E
AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu
UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI
b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/
holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX
JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY
xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11
pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6
yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX
NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75
yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw==
-----END RSA PRIVATE KEY-----
2. root crl issuer and key
-----BEGIN CERTIFICATE-----
MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC
SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ
atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID
AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw
PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD
VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY
eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP
FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck
uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4
cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0
KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R
gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0
ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO
f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a
Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN
S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW
moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/
0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn
2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV
ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8
iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3
18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k=
-----END RSA PRIVATE KEY-----
3. root CRL issued by root crl issuer.
-----BEGIN X509 CRL-----
MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX
DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ
KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY
CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg
oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=
-----END X509 CRL-----
4. subca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj
8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG
Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8
P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr
IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj
UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF
hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ
7cXP6VDeZMG6oRQ4hbOcixoFPXo=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0
8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY
HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp
8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t
UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5
UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s
D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB
Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW
jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn
aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U
bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If
A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ
kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk
uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA==
-----END RSA PRIVATE KEY-----
5. crl issuer of subca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd
LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N
4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm
6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60
jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX
QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3
bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M
rg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3
KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ
4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H
CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ
Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS
4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc
KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap
+ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee
5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo
lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m
2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB
4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144
UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua
oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ==
-----END RSA PRIVATE KEY-----
6. CLR issued by subca CRL issuer
-----BEGIN X509 CRL-----
MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw
NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO
MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr
aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX
nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa
ARGr6Qu68MYGtLMC6ZqP3u0=
-----END X509 CRL-----
7. dumca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc
0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W
bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4
f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL
/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05
EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp
TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs
mihnXyZWWTA1sPZlVJu7/abJ2v0=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3
KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f
afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi
VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK
7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU
6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh
Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn
nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ
IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o
6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl
NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv
iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp
q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0
nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A==
-----END RSA PRIVATE KEY-----
8. crl issuer for dumca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv
s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn
edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2
AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY
sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x
CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN
BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm
2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi
SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6
5g==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5
V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j
3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4
LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw
ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M
gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ
OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y
ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2
kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2
1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c
skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx
3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC
a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV
dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA==
-----END RSA PRIVATE KEY-----
9. end entity certificate issued by subca, Alice
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK
ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2
V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/
pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE
4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR
wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3
Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3616B3F098ED6707
uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y
tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr
zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO
Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP
PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy
3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c
5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK
fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ
Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT
dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn
fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx
jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI
F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ=
-----END RSA PRIVATE KEY-----
10. end entity certificate issued by subca, Bob
-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll
+utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u
txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT
AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR
rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN
AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi
C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob
N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72
cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12
ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC
5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T
yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF
S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV
wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu
2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB
nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1
yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr
gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp
TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn
XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3
/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g==
-----END RSA PRIVATE KEY-----
10. end entity certificate issued by subca, Susan
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0
MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR
1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ
+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo
FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is
tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG
9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f
5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi
tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A
YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ
5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm
ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O
7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f
P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0
KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY
BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz
AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V
cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb
47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C
ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA
fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI
TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg==
-----END RSA PRIVATE KEY-----
test/java/security/cert/CertPathValidator/indirectCRL/generate.sh
0 → 100644
浏览文件 @
be9ef9fd
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#!/bin/ksh
#
# needs ksh to run the script.
# generate a self-signed root certificate
if
[
!
-f
root/root_cert.pem
]
;
then
if
[
!
-d
root
]
;
then
mkdir
root
fi
openssl req
-x509
-newkey
rsa:1024
-keyout
root/root_key.pem
\
-out
root/root_cert.pem
-subj
"/C=US/O=Example"
\
-config
openssl.cnf
-reqexts
cert_issuer
-days
7650
\
-passin
pass:passphrase
-passout
pass:passphrase
fi
# generate a sele-issued root crl issuer certificate
if
[
!
-f
root/top_crlissuer_cert.pem
]
;
then
if
[
!
-d
root
]
;
then
mkdir
root
fi
openssl req
-newkey
rsa:1024
-keyout
root/top_crlissuer_key.pem
\
-out
root/top_crlissuer_req.pem
-subj
"/C=US/O=Example"
-days
7650
\
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
root/top_crlissuer_req.pem
-extfile
openssl.cnf
\
-extensions
crl_issuer
-CA
root/root_cert.pem
\
-CAkey
root/root_key.pem
-out
root/top_crlissuer_cert.pem
\
-CAcreateserial
-CAserial
root/root_cert.srl
-days
7200
\
-passin
pass:passphrase
fi
# generate subca cert issuer and crl iuuser certificates
if
[
!
-f
subca/subca_cert.pem
]
;
then
if
[
!
-d
subca
]
;
then
mkdir
subca
fi
openssl req
-newkey
rsa:1024
-keyout
subca/subca_key.pem
\
-out
subca/subca_req.pem
-subj
"/C=US/O=Example/OU=Class-1"
\
-days
7650
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
subca/subca_req.pem
-extfile
openssl.cnf
\
-extensions
cert_issuer
-CA
root/root_cert.pem
\
-CAkey
root/root_key.pem
-out
subca/subca_cert.pem
-CAcreateserial
\
-CAserial
root/root_cert.srl
-days
7200
-passin
pass:passphrase
openssl req
-newkey
rsa:1024
-keyout
subca/subca_crlissuer_key.pem
\
-out
subca/subca_crlissuer_req.pem
-subj
"/C=US/O=Example/OU=Class-1"
\
-days
7650
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
subca/subca_crlissuer_req.pem
-extfile
openssl.cnf
\
-extensions
crl_issuer
-CA
root/root_cert.pem
\
-CAkey
root/root_key.pem
-out
subca/subca_crlissuer_cert.pem
\
-CAcreateserial
-CAserial
root/root_cert.srl
-days
7200
\
-passin
pass:passphrase
fi
# generate dumca cert issuer and crl iuuser certificates
if
[
!
-f
dumca/dumca_cert.pem
]
;
then
if
[
!
-d
sumca
]
;
then
mkdir
dumca
fi
openssl req
-newkey
rsa:1024
-keyout
dumca/dumca_key.pem
\
-out
dumca/dumca_req.pem
-subj
"/C=US/O=Example/OU=Class-D"
\
-days
7650
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
dumca/dumca_req.pem
-extfile
openssl.cnf
\
-extensions
cert_issuer
-CA
root/root_cert.pem
\
-CAkey
root/root_key.pem
-out
dumca/dumca_cert.pem
\
-CAcreateserial
-CAserial
root/root_cert.srl
-days
7200
\
-passin
pass:passphrase
openssl req
-newkey
rsa:1024
-keyout
dumca/dumca_crlissuer_key.pem
\
-out
dumca/dumca_crlissuer_req.pem
-subj
"/C=US/O=Example/OU=Class-D"
\
-days
7650
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
dumca/dumca_crlissuer_req.pem
\
-extfile
openssl.cnf
-extensions
crl_issuer
-CA
root/root_cert.pem
\
-CAkey
root/root_key.pem
-out
dumca/dumca_crlissuer_cert.pem
\
-CAcreateserial
-CAserial
root/root_cert.srl
-days
7200
\
-passin
pass:passphrase
fi
# generate certifiacte for Alice
if
[
!
-f
subca/alice/alice_cert.pem
]
;
then
if
[
!
-d
subca/alice
]
;
then
mkdir
-p
subca/alice
fi
openssl req
-newkey
rsa:1024
-keyout
subca/alice/alice_key.pem
\
-out
subca/alice/alice_req.pem
\
-subj
"/C=US/O=Example/OU=Class-1/CN=Alice"
-days
7650
\
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
subca/alice/alice_req.pem
\
-extfile
openssl.cnf
-extensions
ee_of_subca
\
-CA
subca/subca_cert.pem
-CAkey
subca/subca_key.pem
\
-out
subca/alice/alice_cert.pem
-CAcreateserial
\
-CAserial
subca/subca_cert.srl
-days
7200
-passin
pass:passphrase
fi
# generate certifiacte for Bob
if
[
!
-f
subca/bob/bob_cert.pem
]
;
then
if
[
!
-d
subca/bob
]
;
then
mkdir
-p
subca/bob
fi
openssl req
-newkey
rsa:1024
-keyout
subca/bob/bob_key.pem
\
-out
subca/bob/bob_req.pem
\
-subj
"/C=US/O=Example/OU=Class-1/CN=Bob"
-days
7650
\
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
subca/bob/bob_req.pem
\
-extfile
openssl.cnf
-extensions
ee_of_subca
\
-CA
subca/subca_cert.pem
-CAkey
subca/subca_key.pem
\
-out
subca/bob/bob_cert.pem
-CAcreateserial
\
-CAserial
subca/subca_cert.srl
-days
7200
-passin
pass:passphrase
fi
# generate certifiacte for Susan
if
[
!
-f
subca/susan/susan_cert.pem
]
;
then
if
[
!
-d
subca/susan
]
;
then
mkdir
-p
subca/susan
fi
openssl req
-newkey
rsa:1024
-keyout
subca/susan/susan_key.pem
\
-out
subca/susan/susan_req.pem
\
-subj
"/C=US/O=Example/OU=Class-1/CN=Susan"
-days
7650
\
-passin
pass:passphrase
-passout
pass:passphrase
openssl x509
-req
-in
subca/susan/susan_req.pem
-extfile
openssl.cnf
\
-extensions
ee_of_subca
-CA
subca/subca_cert.pem
\
-CAkey
subca/subca_key.pem
-out
subca/susan/susan_cert.pem
\
-CAcreateserial
-CAserial
subca/subca_cert.srl
-days
7200
\
-passin
pass:passphrase
fi
# generate the top CRL
if
[
!
-f
root/top_crl.pem
]
;
then
if
[
!
-d
root
]
;
then
mkdir
root
fi
if
[
!
-f
root/index.txt
]
;
then
touch
root/index.txt
echo
00
>
root/crlnumber
fi
openssl ca
-gencrl
-config
openssl.cnf
-name
ca_top
-crldays
7000
\
-crl_reason
superseded
-keyfile
root/top_crlissuer_key.pem
\
-cert
root/top_crlissuer_cert.pem
-out
root/top_crl.pem
\
-passin
pass:passphrase
fi
# revoke dumca
openssl ca
-revoke
dumca/dumca_cert.pem
-config
openssl.cnf
\
-name
ca_top
-crl_reason
superseded
\
-keyfile
root/top_crlissuer_key.pem
-cert
root/top_crlissuer_cert.pem
\
-passin
pass:passphrase
openssl ca
-gencrl
-config
openssl.cnf
-name
ca_top
-crldays
7000
\
-crl_reason
superseded
-keyfile
root/top_crlissuer_key.pem
\
-cert
root/top_crlissuer_cert.pem
-out
root/top_crl.pem
\
-passin
pass:passphrase
# revoke for subca
if
[
!
-f
subca/subca_crl.pem
]
;
then
if
[
!
-d
subca
]
;
then
mkdir
subca
fi
if
[
!
-f
subca/index.txt
]
;
then
touch
subca/index.txt
echo
00
>
subca/crlnumber
fi
openssl ca
-gencrl
-config
openssl.cnf
-name
ca_subca
-crldays
7000
\
-crl_reason
superseded
-keyfile
subca/subca_crlissuer_key.pem
\
-cert
subca/subca_crlissuer_cert.pem
-out
subca/subca_crl.pem
\
-passin
pass:passphrase
fi
# revoke susan
openssl ca
-revoke
subca/susan/susan_cert.pem
-config
openssl.cnf
\
-name
ca_subca
-crl_reason
superseded
\
-keyfile
subca/subca_crlissuer_key.pem
\
-cert
subca/subca_crlissuer_cert.pem
-passin
pass:passphrase
openssl ca
-gencrl
-config
openssl.cnf
-name
ca_subca
-crldays
7000
\
-crl_reason
superseded
-keyfile
subca/subca_crlissuer_key.pem
\
-cert
subca/subca_crlissuer_cert.pem
-out
subca/subca_crl.pem
\
-passin
pass:passphrase
test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf
0 → 100644
浏览文件 @
be9ef9fd
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#
# OpenSSL configuration file.
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./top
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_top ]
dir = ./root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_subca ]
dir = ./subca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NO
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = A-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign
[ cert_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign
[ crl_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
[ ee_of_subca ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录