8282201: Consider removal of expiry check in VerifyCACerts.java test
Reviewed-by: xuelei, mullan
This commit is contained in:
Rajan Halade
parent
f813dc7183
commit
5b43804b79
@ -36,16 +36,8 @@ import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.security.KeyStore;
|
||||
import java.security.MessageDigest;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateExpiredException;
|
||||
import java.security.cert.CertificateNotYetValidException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Date;
|
||||
import java.util.Enumeration;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.HexFormat;
|
||||
import java.util.Map;
|
||||
import java.security.cert.*;
|
||||
import java.util.*;
|
||||
|
||||
public class VerifyCACerts {
|
||||
|
||||
@ -251,7 +243,6 @@ public class VerifyCACerts {
|
||||
}
|
||||
};
|
||||
|
||||
// Exception list to 90 days expiry policy
|
||||
// No error will be reported if certificate in this list expires
|
||||
@SuppressWarnings("serial")
|
||||
private static final HashSet<String> EXPIRY_EXC_ENTRIES = new HashSet<>() {
|
||||
@ -280,14 +271,15 @@ public class VerifyCACerts {
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
System.out.println("cacerts file: " + CACERTS);
|
||||
md = MessageDigest.getInstance("SHA-256");
|
||||
|
||||
// verify integrity of cacerts
|
||||
md = MessageDigest.getInstance("SHA-256");
|
||||
byte[] data = Files.readAllBytes(Path.of(CACERTS));
|
||||
String checksum = HEX.formatHex(md.digest(data));
|
||||
if (!checksum.equals(CHECKSUM)) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: wrong checksum\n" + checksum);
|
||||
System.err.println("Expected checksum\n" + CHECKSUM);
|
||||
System.err.println("ERROR: wrong checksum" + checksum);
|
||||
System.err.println("Expected checksum" + CHECKSUM);
|
||||
}
|
||||
|
||||
KeyStore ks = KeyStore.getInstance("JKS");
|
||||
@ -300,6 +292,15 @@ public class VerifyCACerts {
|
||||
+ COUNT);
|
||||
}
|
||||
|
||||
System.out.println("Trusted CA Certificate count: " + ks.size());
|
||||
|
||||
// also ensure FINGERPRINT_MAP lists correct count
|
||||
if (FINGERPRINT_MAP.size() != COUNT) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: " + FINGERPRINT_MAP.size()
|
||||
+ " FINGERPRINT_MAP entries, should be " + COUNT);
|
||||
}
|
||||
|
||||
// check that all entries in the map are in the keystore
|
||||
for (String alias : FINGERPRINT_MAP.keySet()) {
|
||||
if (!ks.isCertificateEntry(alias)) {
|
||||
@ -313,66 +314,66 @@ public class VerifyCACerts {
|
||||
Enumeration<String> aliases = ks.aliases();
|
||||
while (aliases.hasMoreElements()) {
|
||||
String alias = aliases.nextElement();
|
||||
System.out.println("\nVerifying " + alias);
|
||||
System.out.println("Verifying " + alias);
|
||||
|
||||
// Is cert trusted?
|
||||
if (!ks.isCertificateEntry(alias)) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: " + alias
|
||||
+ " is not a trusted cert entry");
|
||||
System.err.println("ERROR: " + alias + " is not a trusted cert entry");
|
||||
}
|
||||
|
||||
// Does fingerprint match?
|
||||
X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
|
||||
if (!checkFingerprint(alias, cert)) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: " + alias + " SHA-256 fingerprint is incorrect");
|
||||
}
|
||||
// Make sure cert can be self-verified
|
||||
|
||||
// Can cert be self-verified?
|
||||
try {
|
||||
cert.verify(cert.getPublicKey());
|
||||
} catch (Exception e) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: cert cannot be verified:"
|
||||
+ e.getMessage());
|
||||
System.err.println("ERROR: cert cannot be verified:" + e.getMessage());
|
||||
}
|
||||
|
||||
// Make sure cert is not expired or not yet valid
|
||||
// Is cert expired?
|
||||
try {
|
||||
cert.checkValidity();
|
||||
} catch (CertificateExpiredException cee) {
|
||||
if (!EXPIRY_EXC_ENTRIES.contains(alias)) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: cert is expired");
|
||||
System.err.println("ERROR: cert is expired but not in EXPIRY_EXC_ENTRIES");
|
||||
}
|
||||
} catch (CertificateNotYetValidException cne) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: cert is not yet valid");
|
||||
}
|
||||
|
||||
// If cert is within 90 days of expiring, mark as failure so
|
||||
// If cert is within 90 days of expiring, mark as warning so
|
||||
// that cert can be scheduled to be removed/renewed.
|
||||
Date notAfter = cert.getNotAfter();
|
||||
if (notAfter.getTime() - System.currentTimeMillis() < NINETY_DAYS) {
|
||||
if (!EXPIRY_EXC_ENTRIES.contains(alias)) {
|
||||
atLeastOneFailed = true;
|
||||
System.err.println("ERROR: cert \"" + alias + "\" expiry \""
|
||||
+ notAfter.toString() + "\" will expire within 90 days");
|
||||
System.err.println("WARNING: cert \"" + alias + "\" expiry \""
|
||||
+ notAfter + "\" will expire within 90 days");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (atLeastOneFailed) {
|
||||
throw new Exception("At least one cacert test failed");
|
||||
throw new RuntimeException("At least one cacert test failed");
|
||||
}
|
||||
}
|
||||
|
||||
private static boolean checkFingerprint(String alias, Certificate cert)
|
||||
throws Exception {
|
||||
throws CertificateEncodingException {
|
||||
String fingerprint = FINGERPRINT_MAP.get(alias);
|
||||
if (fingerprint == null) {
|
||||
// no entry for alias
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
System.out.println("Checking fingerprint of " + alias);
|
||||
byte[] digest = md.digest(cert.getEncoded());
|
||||
return fingerprint.equals(HEX.formatHex(digest));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user