2015-09-09 12:39:45 +03:00
|
|
|
/*
|
|
|
|
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
|
|
|
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
|
*
|
|
|
|
* This code is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License version 2 only, as
|
|
|
|
* published by the Free Software Foundation. Oracle designates this
|
|
|
|
* particular file as subject to the "Classpath" exception as provided
|
|
|
|
* by Oracle in the LICENSE file that accompanied this code.
|
|
|
|
*
|
|
|
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
|
* accompanied this code).
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License version
|
|
|
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
*
|
|
|
|
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
|
|
|
* or visit www.oracle.com if you need additional information or have any
|
|
|
|
* questions.
|
|
|
|
*/
|
|
|
|
|
|
|
|
import java.io.IOException;
|
|
|
|
import java.io.StringBufferInputStream;
|
|
|
|
import java.net.InetAddress;
|
|
|
|
import java.net.UnknownHostException;
|
|
|
|
import java.security.cert.CertificateException;
|
|
|
|
import java.security.cert.CertificateFactory;
|
|
|
|
import java.security.cert.CertPath;
|
|
|
|
import java.security.cert.CertPathValidator;
|
|
|
|
import java.security.cert.CertPathValidatorException;
|
|
|
|
import java.security.cert.PKIXParameters;
|
|
|
|
import java.security.cert.TrustAnchor;
|
|
|
|
import java.security.cert.X509Certificate;
|
|
|
|
import java.text.DateFormat;
|
|
|
|
import java.text.ParseException;
|
|
|
|
import java.util.ArrayList;
|
|
|
|
import java.util.Arrays;
|
|
|
|
import java.util.Date;
|
|
|
|
import java.util.HashSet;
|
|
|
|
import java.util.List;
|
|
|
|
import java.util.Locale;
|
|
|
|
import java.util.Set;
|
|
|
|
import sun.net.spi.nameservice.NameService;
|
|
|
|
import sun.net.spi.nameservice.NameServiceDescriptor;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* @test
|
|
|
|
* @bug 8134708
|
|
|
|
* @summary Check if LDAP resources from CRLDP and AIA extensions can be loaded
|
8142968: Module System implementation
Initial integration of JEP 200, JEP 260, JEP 261, and JEP 282
Co-authored-by: Alex Buckley <alex.buckley@oracle.com>
Co-authored-by: Jonathan Gibbons <jonathan.gibbons@oracle.com>
Co-authored-by: Karen Kinnear <karen.kinnear@oracle.com>
Co-authored-by: Mandy Chung <mandy.chung@oracle.com>
Co-authored-by: Mark Reinhold <mark.reinhold@oracle.com>
Co-authored-by: Chris Hegarty <chris.hegarty@oracle.com>
Co-authored-by: Alexandr Scherbatiy <alexandr.scherbatiy@oracle.com>
Co-authored-by: Amy Lu <amy.lu@oracle.com>
Co-authored-by: Calvin Cheung <calvin.cheung@oracle.com>
Co-authored-by: Daniel Fuchs <daniel.fuchs@oracle.com>
Co-authored-by: Erik Joelsson <erik.joelsson@oracle.com>
Co-authored-by: Harold Seigel <harold.seigel@oracle.com>
Co-authored-by: Jaroslav Bachorik <jaroslav.bachorik@oracle.com>
Co-authored-by: Jean-Francois Denise <jean-francois.denise@oracle.com>
Co-authored-by: Jan Lahoda <jan.lahoda@oracle.com>
Co-authored-by: James Laskey <james.laskey@oracle.com>
Co-authored-by: Lois Foltan <lois.foltan@oracle.com>
Co-authored-by: Miroslav Kos <miroslav.kos@oracle.com>
Co-authored-by: Huaming Li <huaming.li@oracle.com>
Co-authored-by: Sean Mullan <sean.mullan@oracle.com>
Co-authored-by: Naoto Sato <naoto.sato@oracle.com>
Co-authored-by: Masayoshi Okutsu <masayoshi.okutsu@oracle.com>
Co-authored-by: Peter Levart <peter.levart@gmail.com>
Co-authored-by: Philip Race <philip.race@oracle.com>
Co-authored-by: Claes Redestad <claes.redestad@oracle.com>
Co-authored-by: Sergey Bylokhov <sergey.bylokhov@oracle.com>
Co-authored-by: Alexandre Iline <alexandre.iline@oracle.com>
Co-authored-by: Volker Simonis <volker.simonis@gmail.com>
Co-authored-by: Staffan Larsen <staffan.larsen@oracle.com>
Co-authored-by: Stuart Marks <stuart.marks@oracle.com>
Co-authored-by: Semyon Sadetsky <semyon.sadetsky@oracle.com>
Co-authored-by: Serguei Spitsyn <serguei.spitsyn@oracle.com>
Co-authored-by: Sundararajan Athijegannathan <sundararajan.athijegannathan@oracle.com>
Co-authored-by: Valerie Peng <valerie.peng@oracle.com>
Co-authored-by: Vincent Ryan <vincent.x.ryan@oracle.com>
Co-authored-by: Weijun Wang <weijun.wang@oracle.com>
Co-authored-by: Yuri Nesterenko <yuri.nesterenko@oracle.com>
Co-authored-by: Yekaterina Kantserova <yekaterina.kantserova@oracle.com>
Co-authored-by: Alexander Kulyakthin <alexander.kulyakhtin@oracle.com>
Co-authored-by: Felix Yang <felix.yang@oracle.com>
Co-authored-by: Andrei Eremeev <andrei.eremeev@oracle.com>
Co-authored-by: Frank Yuan <frank.yuan@oracle.com>
Co-authored-by: Sergei Pikalev <sergei.pikalev@oracle.com>
Co-authored-by: Sibabrata Sahoo <sibabrata.sahoo@oracle.com>
Co-authored-by: Tiantian Du <tiantian.du@oracle.com>
Co-authored-by: Sha Jiang <sha.jiang@oracle.com>
Reviewed-by: alanb, mchung, naoto, rriggs, psandoz, plevart, mullan, ascarpino, vinnie, prr, sherman, dfuchs, mhaupt
2016-03-17 19:04:16 +00:00
|
|
|
* @modules java.base/sun.net.spi.nameservice
|
2015-09-09 12:39:45 +03:00
|
|
|
* @run main/othervm ExtensionsWithLDAP
|
|
|
|
*/
|
|
|
|
public class ExtensionsWithLDAP {
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Certificate:
|
|
|
|
* Data:
|
|
|
|
* Version: 3 (0x2)
|
|
|
|
* Serial Number: 11174053930990688938 (0x9b1236d8f9c1daaa)
|
|
|
|
* Signature Algorithm: sha512WithRSAEncryption
|
|
|
|
* Issuer: CN=Root
|
|
|
|
* Validity
|
|
|
|
* Not Before: Sep 1 18:03:59 2015 GMT
|
|
|
|
* Not After : Jan 17 18:03:59 2043 GMT
|
|
|
|
* Subject: CN=Root
|
|
|
|
*/
|
|
|
|
private static final String CA_CERT = ""
|
|
|
|
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
|
+ "MIIC8TCCAdmgAwIBAgIJAJsSNtj5wdqqMA0GCSqGSIb3DQEBDQUAMA8xDTALBgNV\n"
|
|
|
|
+ "BAMMBFJvb3QwHhcNMTUwOTAxMTgwMzU5WhcNNDMwMTE3MTgwMzU5WjAPMQ0wCwYD\n"
|
|
|
|
+ "VQQDDARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvj892vPm\n"
|
|
|
|
+ "bB++x9QqqyBveP+ZqQ2B1stV7vh5JmDnOTevkZUOcemp3SXu/esNLSbpL+fARYXH\n"
|
|
|
|
+ "V5ubnrfip6RbvcxPfVIIDJrRTLIIsU6W7M6/LJLbLkEVGy4ZV4IHkOw9W2O92rcv\n"
|
|
|
|
+ "BkoqhzZnOTGR6uT3rRcKx4RevEKBKhZO+OPPf//lnckOybmYL7t7yQrajzHro76b\n"
|
|
|
|
+ "QTXYjAUq/DKhglXfC7vF/JzlAvG2IunGmIfjGcnuDo/9X3Bxef/q5TxCS35fvb7t\n"
|
|
|
|
+ "svC+g2QhTcBkQh4uNW2jSjlTIVp1uErCfP5aCjLaez5mqmb1hxPIlcvsNR23HwU6\n"
|
|
|
|
+ "bQO7z7NBo9Do6QIDAQABo1AwTjAdBgNVHQ4EFgQUmLZNOBBkqdYoElyxklPYHmAb\n"
|
|
|
|
+ "QXIwHwYDVR0jBBgwFoAUmLZNOBBkqdYoElyxklPYHmAbQXIwDAYDVR0TBAUwAwEB\n"
|
|
|
|
+ "/zANBgkqhkiG9w0BAQ0FAAOCAQEAYV4fOhDi5q7+XNXCxO8Eil2frR9jqdP4LaQp\n"
|
|
|
|
+ "3L0evW0gvPX68s2WmkPWzIu4TJcpdGFQqxyQFSXuKBXjthyiln77QItGTHWeafES\n"
|
|
|
|
+ "q5ESrKdSaJZq1bTIrrReCIP74f+fY/F4Tnb3dCqzaljXfzpdbeRsIW6gF71xcOUQ\n"
|
|
|
|
+ "nnPEjGVPLUegN+Wn/jQpeLxxIB7FmNXncdRUfMfZ43xVSKuMCy1UUYqJqTa/pXZj\n"
|
|
|
|
+ "jCMeRPThRjRqHlJ69jStfWUQATbLyj9KN09rUaJxzmUSt61UqJi7sjcGySaCjAJc\n"
|
|
|
|
+ "IcCdVmX/DmRLsdv8W36O3MgrvpT1zR3kaAlv2d8HppnBqcL3xg==\n"
|
|
|
|
+ "-----END CERTIFICATE-----";
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Certificate:
|
|
|
|
* Data:
|
|
|
|
* Version: 3 (0x2)
|
|
|
|
* Serial Number: 7 (0x7)
|
|
|
|
* Signature Algorithm: sha512WithRSAEncryption
|
|
|
|
* Issuer: CN=Root
|
|
|
|
* Validity
|
|
|
|
* Not Before: Sep 1 18:03:59 2015 GMT
|
|
|
|
* Not After : Jan 17 18:03:59 2043 GMT
|
|
|
|
* Subject: CN=EE
|
|
|
|
* ...
|
|
|
|
* X509v3 extensions:
|
|
|
|
* X509v3 CRL Distribution Points:
|
|
|
|
* Full Name:
|
|
|
|
* URI:ldap://ldap.host.for.crldp/main.crl
|
|
|
|
* Authority Information Access:
|
|
|
|
* CA Issuers - URI:ldap://ldap.host.for.aia/dc=Root?cACertificate
|
|
|
|
*/
|
|
|
|
private static final String EE_CERT = ""
|
|
|
|
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
|
+ "MIIDHTCCAgWgAwIBAgIBBzANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARSb290\n"
|
|
|
|
+ "MB4XDTE1MDkwMTE4MDM1OVoXDTQzMDExNzE4MDM1OVowDTELMAkGA1UEAwwCRUUw\n"
|
|
|
|
+ "ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpyz97liuWPDYcLH9TX8Bi\n"
|
|
|
|
+ "T78olCmAfmevvch6ncXUVuCzbdaKuKXwn4EVbDszsVJLoK5zdtP+X3iDhutj+IgK\n"
|
|
|
|
+ "mLhuczF3M9VIcWr+JJUyTH4+3h/RT8cjCDZOmk9iXkb5ifruVsLqzb9g+Vp140Oz\n"
|
|
|
|
+ "7leikne7KmclHvTfvFd0WDI7Gb9vo4f5rT717BXJ/n+M6pNk8DLpLiEu6eziYvXR\n"
|
|
|
|
+ "v5x+t5Go3x0eCXdaxEQUf2j876Wfr2qHRJK7lDfFe1DDsMg/KpKGiILYZ+g2qtVM\n"
|
|
|
|
+ "ZSxtp5BZEtfB5qV/IE5kWO+mCIAGpXSZIdbERR6pZUq8GLEe1T9e+sO6H24w2F19\n"
|
|
|
|
+ "AgMBAAGjgYUwgYIwNAYDVR0fBC0wKzApoCegJYYjbGRhcDovL2xkYXAuaG9zdC5m\n"
|
|
|
|
+ "b3IuY3JsZHAvbWFpbi5jcmwwSgYIKwYBBQUHAQEEPjA8MDoGCCsGAQUFBzAChi5s\n"
|
|
|
|
+ "ZGFwOi8vbGRhcC5ob3N0LmZvci5haWEvZGM9Um9vdD9jQUNlcnRpZmljYXRlMA0G\n"
|
|
|
|
+ "CSqGSIb3DQEBDQUAA4IBAQBWDfZHpuUx0yn5d3+BuztFqoks1MkGdk+USlH0TB1/\n"
|
|
|
|
+ "gWWBd+4S4PCKlpSur0gj2rMW4fP5HQfNlHci8JV8/bG4KuKRAXW56dg1818Hl3pc\n"
|
|
|
|
+ "iIrUSRn8uUjH3p9qb+Rb/u3mmVQRyJjN2t/zceNsO8/+Dd808OB9aEwGs8lMT0nn\n"
|
|
|
|
+ "ZYaaAqYz1GIY/Ecyx1vfEZEQ1ljo6i/r70C3igbypBUShxSiGsleiVTLOGNA+MN1\n"
|
|
|
|
+ "/a/Qh0bkaQyTGqK3bwvzzMeQVqWu2EWTBD/PmND5ExkpRICdv8LBVXfLnpoBr4lL\n"
|
|
|
|
+ "hnxn9+e0Ah+t8dS5EKfn44w5bI5PCu2bqxs6RCTxNjcY\n"
|
|
|
|
+ "-----END CERTIFICATE-----";
|
|
|
|
|
|
|
|
|
|
|
|
private static final String LDAP_HOST_CRLDP = "ldap.host.for.crldp";
|
|
|
|
private static final String LDAP_HOST_AIA = "ldap.host.for.aia";
|
|
|
|
|
|
|
|
// a date within the certificates validity period
|
|
|
|
static final Date validationDate;
|
|
|
|
static {
|
|
|
|
try {
|
|
|
|
validationDate = DateFormat.getDateInstance(
|
|
|
|
DateFormat.MEDIUM, Locale.US).parse("Sep 02, 2015");
|
|
|
|
} catch (ParseException e) {
|
|
|
|
throw new RuntimeException("Couldn't parse date", e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public static void main(String[] args) throws Exception {
|
|
|
|
// enable CRLDP and AIA extensions
|
|
|
|
System.setProperty("com.sun.security.enableCRLDP", "true");
|
|
|
|
System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
|
|
|
|
|
|
|
|
// register a local name service
|
|
|
|
System.setProperty("sun.net.spi.nameservice.provider.1", "ns,localdns");
|
|
|
|
|
|
|
|
X509Certificate trustedCert = loadCertificate(CA_CERT);
|
|
|
|
X509Certificate eeCert = loadCertificate(EE_CERT);
|
|
|
|
|
|
|
|
Set<TrustAnchor> trustedCertsSet = new HashSet<>();
|
|
|
|
trustedCertsSet.add(new TrustAnchor(trustedCert, null));
|
|
|
|
|
|
|
|
CertPath cp = (CertPath) CertificateFactory.getInstance("X509")
|
|
|
|
.generateCertPath(Arrays.asList(eeCert));
|
|
|
|
|
|
|
|
PKIXParameters params = new PKIXParameters(trustedCertsSet);
|
|
|
|
params.setDate(validationDate);
|
|
|
|
|
|
|
|
// certpath validator should try to parse CRLDP and AIA extensions,
|
|
|
|
// and load CRLs/certs which they point to
|
|
|
|
// if a local name service catched requests for resolving host names
|
|
|
|
// which extensions contain, then it means that certpath validator
|
|
|
|
// tried to load CRLs/certs which they point to
|
|
|
|
try {
|
|
|
|
CertPathValidator.getInstance("PKIX").validate(cp, params);
|
|
|
|
throw new RuntimeException("CertPathValidatorException not thrown");
|
|
|
|
} catch (CertPathValidatorException cpve) {
|
|
|
|
System.out.println("Expected exception: " + cpve);
|
|
|
|
}
|
|
|
|
|
|
|
|
// check if it tried to resolve a host name from CRLDP extension
|
|
|
|
if (!LocalNameService.requestedHosts.contains(LDAP_HOST_CRLDP)) {
|
|
|
|
throw new RuntimeException(
|
|
|
|
"A hostname from CRLDP extension not requested");
|
|
|
|
}
|
|
|
|
|
|
|
|
// check if it tried to resolve a host name from AIA extension
|
|
|
|
if (!LocalNameService.requestedHosts.contains(LDAP_HOST_AIA)) {
|
|
|
|
throw new RuntimeException(
|
|
|
|
"A hostname from AIA extension not requested");
|
|
|
|
}
|
|
|
|
|
|
|
|
System.out.println("Test passed");
|
|
|
|
}
|
|
|
|
|
|
|
|
// load a X509 certificate
|
|
|
|
public static X509Certificate loadCertificate(String s)
|
|
|
|
throws IOException, CertificateException {
|
|
|
|
|
|
|
|
try (StringBufferInputStream is = new StringBufferInputStream(s)) {
|
|
|
|
return (X509Certificate) CertificateFactory.getInstance("X509")
|
|
|
|
.generateCertificate(is);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// a local name service which log requested host names
|
|
|
|
public static class LocalNameService implements NameServiceDescriptor {
|
|
|
|
|
|
|
|
static final List<String> requestedHosts = new ArrayList<>();
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public NameService createNameService() throws Exception {
|
|
|
|
System.out.println("LocalNameService: createNameService() called");
|
|
|
|
NameService ns = new NameService() {
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public InetAddress[] lookupAllHostAddr(String host)
|
|
|
|
throws UnknownHostException {
|
|
|
|
|
|
|
|
System.out.println("LocalNameService: "
|
|
|
|
+ "NameService.lookupAllHostAddr(): " + host);
|
|
|
|
|
|
|
|
requestedHosts.add(host);
|
|
|
|
|
|
|
|
throw new UnknownHostException();
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public String getHostByAddr(byte[] addr)
|
|
|
|
throws UnknownHostException {
|
|
|
|
System.out.println("LocalNameService: "
|
|
|
|
+ "NameService.getHostByAddr(): "
|
|
|
|
+ Arrays.toString(addr));
|
|
|
|
throw new UnknownHostException("No reverse lookup");
|
|
|
|
}
|
|
|
|
};
|
|
|
|
return ns;
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public String getProviderName() {
|
|
|
|
return "localdns";
|
|
|
|
}
|
|
|
|
|
|
|
|
@Override
|
|
|
|
public String getType() {
|
|
|
|
return "ns";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|