6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected
Make the builder aware of SKID/AKID, break the internal circular dependences Reviewed-by: mullan
This commit is contained in:
parent
40a7ea7c9c
commit
5ba2fd7d33
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -34,6 +34,7 @@ import javax.security.auth.x500.X500Principal;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.DerOutputStream;
|
||||
import sun.security.x509.*;
|
||||
|
||||
/**
|
||||
@ -333,7 +334,15 @@ class DistributionPointFetcher {
|
||||
if (match == false) {
|
||||
return false;
|
||||
}
|
||||
indirectCRL = true;
|
||||
|
||||
// we accept the case that a CRL issuer provide status
|
||||
// information for itself.
|
||||
if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
|
||||
// reset the public key used to verify the CRL's signature
|
||||
prevKey = certImpl.getPublicKey();
|
||||
} else {
|
||||
indirectCRL = true;
|
||||
}
|
||||
} else if (crlIssuer.equals(certIssuer) == false) {
|
||||
if (debug != null) {
|
||||
debug.println("crl issuer does not equal cert issuer");
|
||||
@ -347,7 +356,14 @@ class DistributionPointFetcher {
|
||||
PKIXExtensions.AuthorityKey_Id.toString());
|
||||
|
||||
if (!Arrays.equals(certAKID, crlAKID)) {
|
||||
indirectCRL = true;
|
||||
// we accept the case that a CRL issuer provide status
|
||||
// information for itself.
|
||||
if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
|
||||
// reset the public key used to verify the CRL's signature
|
||||
prevKey = certImpl.getPublicKey();
|
||||
} else {
|
||||
indirectCRL = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -542,10 +558,80 @@ class DistributionPointFetcher {
|
||||
certSel.setSubject(crlIssuer.asX500Principal());
|
||||
boolean[] crlSign = {false,false,false,false,false,false,true};
|
||||
certSel.setKeyUsage(crlSign);
|
||||
|
||||
// Currently by default, forward builder does not enable
|
||||
// subject/authority key identifier identifying for target
|
||||
// certificate, instead, it only compares the CRL issuer and
|
||||
// the target certificate subject. If the certificate of the
|
||||
// delegated CRL issuer is a self-issued certificate, the
|
||||
// builder is unable to find the proper CRL issuer by issuer
|
||||
// name only, there is a potential dead loop on finding the
|
||||
// proper issuer. It is of great help to narrow the target
|
||||
// scope down to aware of authority key identifiers in the
|
||||
// selector, for the purposes of breaking the dead loop.
|
||||
AuthorityKeyIdentifierExtension akidext =
|
||||
crlImpl.getAuthKeyIdExtension();
|
||||
if (akidext != null) {
|
||||
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
|
||||
if (akid != null) {
|
||||
DerOutputStream derout = new DerOutputStream();
|
||||
derout.putOctetString(akid.getIdentifier());
|
||||
certSel.setSubjectKeyIdentifier(derout.toByteArray());
|
||||
}
|
||||
|
||||
SerialNumber asn =
|
||||
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
|
||||
if (asn != null) {
|
||||
certSel.setSerialNumber(asn.getNumber());
|
||||
}
|
||||
// the subject criterion will be set by builder automatically.
|
||||
}
|
||||
|
||||
// by far, we have validated the previous certificate, we can
|
||||
// trust it during validating the CRL issuer.
|
||||
// Except the performance improvement, another benefit is to break
|
||||
// the dead loop while looking for the issuer back and forth
|
||||
// between the delegated self-issued certificate and its issuer.
|
||||
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
|
||||
if (anchor != null) {
|
||||
trustAnchors.add(anchor);
|
||||
}
|
||||
|
||||
if (prevKey != null) {
|
||||
// if the previous key is of the anchor, don't bother to
|
||||
// duplicate the trust.
|
||||
boolean duplicated = false;
|
||||
PublicKey publicKey = prevKey;
|
||||
X500Principal principal = certImpl.getIssuerX500Principal();
|
||||
|
||||
if (anchor != null) {
|
||||
X509Certificate trustedCert = anchor.getTrustedCert();
|
||||
X500Principal trustedPrincipal;
|
||||
PublicKey trustedPublicKey;
|
||||
if (trustedCert != null) {
|
||||
trustedPrincipal = trustedCert.getSubjectX500Principal();
|
||||
trustedPublicKey = trustedCert.getPublicKey();
|
||||
} else {
|
||||
trustedPrincipal = anchor.getCA();
|
||||
trustedPublicKey = anchor.getCAPublicKey();
|
||||
}
|
||||
|
||||
if (principal.equals(trustedPrincipal) &&
|
||||
publicKey.equals(trustedPublicKey)) {
|
||||
duplicated = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (!duplicated) {
|
||||
TrustAnchor temporary =
|
||||
new TrustAnchor(principal, publicKey, null);
|
||||
trustAnchors.add(temporary);
|
||||
}
|
||||
}
|
||||
|
||||
PKIXBuilderParameters params = null;
|
||||
try {
|
||||
params = new PKIXBuilderParameters
|
||||
(Collections.singleton(anchor), certSel);
|
||||
params = new PKIXBuilderParameters(trustAnchors, certSel);
|
||||
} catch (InvalidAlgorithmParameterException iape) {
|
||||
throw new CRLException(iape);
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -30,6 +30,7 @@ import java.util.*;
|
||||
|
||||
import java.security.GeneralSecurityException;
|
||||
import java.security.InvalidKeyException;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertPathValidatorException;
|
||||
import java.security.cert.PKIXReason;
|
||||
@ -43,12 +44,22 @@ import java.security.cert.X509CertSelector;
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.DerOutputStream;
|
||||
import sun.security.x509.AccessDescription;
|
||||
import sun.security.x509.AuthorityInfoAccessExtension;
|
||||
import sun.security.x509.PKIXExtensions;
|
||||
import sun.security.x509.PolicyMappingsExtension;
|
||||
import sun.security.x509.X500Name;
|
||||
import sun.security.x509.X509CertImpl;
|
||||
import sun.security.x509.X509CRLImpl;
|
||||
import sun.security.x509.AuthorityKeyIdentifierExtension;
|
||||
import sun.security.x509.KeyIdentifier;
|
||||
import sun.security.x509.SubjectKeyIdentifierExtension;
|
||||
import sun.security.x509.SerialNumber;
|
||||
import sun.security.x509.GeneralNames;
|
||||
import sun.security.x509.GeneralName;
|
||||
import sun.security.x509.GeneralNameInterface;
|
||||
import java.math.BigInteger;
|
||||
|
||||
/**
|
||||
* This class represents a forward builder, which is able to retrieve
|
||||
@ -237,7 +248,7 @@ class ForwardBuilder extends Builder {
|
||||
} else {
|
||||
|
||||
if (caSelector == null) {
|
||||
caSelector = new X509CertSelector();
|
||||
caSelector = new AdaptableX509CertSelector();
|
||||
|
||||
/*
|
||||
* Match on certificate validity date.
|
||||
@ -269,6 +280,29 @@ class ForwardBuilder extends Builder {
|
||||
* at least as many CA certs that have already been traversed
|
||||
*/
|
||||
caSelector.setBasicConstraints(currentState.traversedCACerts);
|
||||
|
||||
/*
|
||||
* Facilitate certification path construction with authority
|
||||
* key identifier and subject key identifier.
|
||||
*/
|
||||
AuthorityKeyIdentifierExtension akidext =
|
||||
currentState.cert.getAuthorityKeyIdentifierExtension();
|
||||
if (akidext != null) {
|
||||
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
|
||||
if (akid != null) {
|
||||
DerOutputStream derout = new DerOutputStream();
|
||||
derout.putOctetString(akid.getIdentifier());
|
||||
caSelector.setSubjectKeyIdentifier(derout.toByteArray());
|
||||
}
|
||||
|
||||
SerialNumber asn =
|
||||
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
|
||||
if (asn != null) {
|
||||
caSelector.setSerialNumber(asn.getNumber());
|
||||
}
|
||||
// the subject criterion was set previously.
|
||||
}
|
||||
|
||||
sel = caSelector;
|
||||
}
|
||||
|
||||
@ -817,13 +851,25 @@ class ForwardBuilder extends Builder {
|
||||
} else {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
X500Principal principal = anchor.getCA();
|
||||
java.security.PublicKey publicKey = anchor.getCAPublicKey();
|
||||
|
||||
X500Principal trustedCAName = anchor.getCA();
|
||||
if (principal != null && publicKey != null &&
|
||||
principal.equals(cert.getSubjectX500Principal())) {
|
||||
if (publicKey.equals(cert.getPublicKey())) {
|
||||
// the cert itself is a trust anchor
|
||||
this.trustAnchor = anchor;
|
||||
return true;
|
||||
}
|
||||
// else, it is a self-issued certificate of the anchor
|
||||
}
|
||||
|
||||
/* Check subject/issuer name chaining */
|
||||
if (!trustedCAName.equals(cert.getIssuerX500Principal())) {
|
||||
continue;
|
||||
// Check subject/issuer name chaining
|
||||
if (principal == null ||
|
||||
!principal.equals(cert.getIssuerX500Principal())) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* Check revocation if it is enabled */
|
||||
@ -890,4 +936,120 @@ class ForwardBuilder extends Builder {
|
||||
void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) {
|
||||
certPathList.removeFirst();
|
||||
}
|
||||
|
||||
/** Verifies whether a CRL is issued by a certain certificate
|
||||
*
|
||||
* @param cert the certificate
|
||||
* @param crl the CRL to be verified
|
||||
* @param provider the name of the signature provider
|
||||
*/
|
||||
static boolean issues(X509CertImpl cert, X509CRLImpl crl, String provider)
|
||||
throws IOException {
|
||||
|
||||
boolean kidmatched = false;
|
||||
|
||||
// check certificate's key usage
|
||||
boolean[] usages = cert.getKeyUsage();
|
||||
if (usages != null && !usages[6]) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// check certificate's SKID and CRL's AKID
|
||||
AuthorityKeyIdentifierExtension akidext = crl.getAuthKeyIdExtension();
|
||||
if (akidext != null) {
|
||||
// the highest priority, matching KID
|
||||
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
|
||||
if (akid != null) {
|
||||
SubjectKeyIdentifierExtension skidext =
|
||||
cert.getSubjectKeyIdentifierExtension();
|
||||
if (skidext != null) {
|
||||
KeyIdentifier skid =
|
||||
(KeyIdentifier)skidext.get(skidext.KEY_ID);
|
||||
if (!akid.equals(skid)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
kidmatched = true;
|
||||
}
|
||||
// conservatively, in case of X509 V1 certificate,
|
||||
// does return false here if no SKID extension.
|
||||
}
|
||||
|
||||
// the medium priority, matching issuer name/serial number
|
||||
SerialNumber asn = (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
|
||||
GeneralNames anames = (GeneralNames)akidext.get(akidext.AUTH_NAME);
|
||||
if (asn != null && anames != null) {
|
||||
X500Name subject = (X500Name)cert.getSubjectDN();
|
||||
BigInteger serial = cert.getSerialNumber();
|
||||
|
||||
if (serial != null && subject != null) {
|
||||
if (serial.equals(asn.getNumber())) {
|
||||
return false;
|
||||
}
|
||||
|
||||
for (GeneralName name : anames.names()) {
|
||||
GeneralNameInterface gni = name.getName();
|
||||
if (subject.equals(gni)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
if (kidmatched) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// the last priority, verify the CRL signature with the cert.
|
||||
X500Principal crlIssuer = crl.getIssuerX500Principal();
|
||||
X500Principal certSubject = cert.getSubjectX500Principal();
|
||||
if (certSubject != null && certSubject.equals(crlIssuer)) {
|
||||
try {
|
||||
crl.verify(cert.getPublicKey(), provider);
|
||||
return true;
|
||||
} catch (Exception e) {
|
||||
// ignore all exceptions.
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* An adaptable X509 certificate selector for forward certification path
|
||||
* building.
|
||||
*/
|
||||
private static class AdaptableX509CertSelector extends X509CertSelector {
|
||||
public AdaptableX509CertSelector() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
* Decides whether a <code>Certificate</code> should be selected.
|
||||
*
|
||||
* For the purpose of compatibility, when a certificate is of
|
||||
* version 1 and version 2, or the certificate does not include
|
||||
* a subject key identifier extension, the selection criterion
|
||||
* of subjectKeyIdentifier will be disabled.
|
||||
*
|
||||
* @Override
|
||||
*/
|
||||
public boolean match(Certificate cert) {
|
||||
if (!(cert instanceof X509Certificate)) {
|
||||
return false;
|
||||
}
|
||||
X509Certificate xcert = (X509Certificate)cert;
|
||||
|
||||
if (xcert.getVersion() < 3 ||
|
||||
xcert.getExtensionValue("2.5.29.14") == null) {
|
||||
// disable the subjectKeyIdentifier criterion
|
||||
setSubjectKeyIdentifier(null);
|
||||
}
|
||||
|
||||
return super.match(cert);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -0,0 +1,260 @@
|
||||
/*
|
||||
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
* have any questions.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @bug 6852744
|
||||
* @summary PIT b61: PKI test suite fails because self signed certificates
|
||||
* are being rejected
|
||||
* @run main/othervm DisableRevocation subca
|
||||
* @run main/othervm DisableRevocation subci
|
||||
* @run main/othervm DisableRevocation alice
|
||||
* @author Xuelei Fan
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import java.net.SocketException;
|
||||
import java.util.*;
|
||||
import java.security.Security;
|
||||
import java.security.cert.*;
|
||||
import java.security.cert.CertPathValidatorException.BasicReason;
|
||||
import sun.security.util.DerInputStream;
|
||||
|
||||
/**
|
||||
* A test case helps to ensure that a certification path building process is
|
||||
* able to identify a self-issued certificate from its issuer when disable
|
||||
* revocation checking.
|
||||
*/
|
||||
public final class DisableRevocation {
|
||||
|
||||
// the trust anchor
|
||||
static String selfSignedCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +
|
||||
"81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +
|
||||
"m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +
|
||||
"AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +
|
||||
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
|
||||
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
|
||||
"DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +
|
||||
"ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +
|
||||
"DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +
|
||||
"v/E=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the sub-ca
|
||||
static String subCaCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +
|
||||
"srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +
|
||||
"+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +
|
||||
"E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +
|
||||
"KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
|
||||
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
|
||||
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +
|
||||
"MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +
|
||||
"RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +
|
||||
"iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
|
||||
static String topCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +
|
||||
"/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +
|
||||
"hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +
|
||||
"AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +
|
||||
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
|
||||
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
|
||||
"DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +
|
||||
"xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +
|
||||
"rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +
|
||||
"G0c=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
|
||||
static String subCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +
|
||||
"OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +
|
||||
"obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +
|
||||
"GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +
|
||||
"xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
|
||||
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
|
||||
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +
|
||||
"Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +
|
||||
"pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +
|
||||
"Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the target EE certificate
|
||||
static String targetCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +
|
||||
"MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
|
||||
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
|
||||
"9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +
|
||||
"T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +
|
||||
"1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +
|
||||
"cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +
|
||||
"uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +
|
||||
"9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +
|
||||
"yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +
|
||||
"G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
private static Set<TrustAnchor> generateTrustAnchors()
|
||||
throws CertificateException {
|
||||
// generate certificate from cert string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is =
|
||||
new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
Certificate selfSignedCert = cf.generateCertificate(is);
|
||||
|
||||
// generate a trust anchor
|
||||
TrustAnchor anchor =
|
||||
new TrustAnchor((X509Certificate)selfSignedCert, null);
|
||||
|
||||
return Collections.singleton(anchor);
|
||||
}
|
||||
|
||||
private static CertStore generateCertificateStore() throws Exception {
|
||||
Collection entries = new HashSet();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is;
|
||||
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
Certificate cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
return CertStore.getInstance("Collection",
|
||||
new CollectionCertStoreParameters(entries));
|
||||
}
|
||||
|
||||
private static X509CertSelector generateSelector(String name)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
byte[] extVal = target.getExtensionValue("2.5.29.14");
|
||||
if (extVal != null) {
|
||||
DerInputStream in = new DerInputStream(extVal);
|
||||
byte[] subjectKID = in.getOctetString();
|
||||
selector.setSubjectKeyIdentifier(subjectKID);
|
||||
} else {
|
||||
// unlikely to happen.
|
||||
throw new Exception("unexpected certificate: no SKID extension");
|
||||
}
|
||||
|
||||
return selector;
|
||||
}
|
||||
|
||||
private static boolean match(String name, Certificate cert)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
|
||||
return target.equals(cert);
|
||||
}
|
||||
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
|
||||
|
||||
X509CertSelector selector = generateSelector(args[0]);
|
||||
|
||||
Set<TrustAnchor> anchors = generateTrustAnchors();
|
||||
CertStore certs = generateCertificateStore();
|
||||
|
||||
|
||||
PKIXBuilderParameters params =
|
||||
new PKIXBuilderParameters(anchors, selector);
|
||||
params.addCertStore(certs);
|
||||
params.setRevocationEnabled(false);
|
||||
params.setDate(new Date(109, 7, 1)); // 2009-07-01
|
||||
Security.setProperty("ocsp.enable", "false");
|
||||
System.setProperty("com.sun.security.enableCRLDP", "false");
|
||||
|
||||
PKIXCertPathBuilderResult result =
|
||||
(PKIXCertPathBuilderResult)builder.build(params);
|
||||
|
||||
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
|
||||
throw new Exception("unexpected certificate");
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,303 @@
|
||||
/*
|
||||
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
* have any questions.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @bug 6852744
|
||||
* @summary PIT b61: PKI test suite fails because self signed certificates
|
||||
* are being rejected
|
||||
* @run main/othervm KeyUsageMatters subca
|
||||
* @run main/othervm KeyUsageMatters subci
|
||||
* @run main/othervm KeyUsageMatters alice
|
||||
* @author Xuelei Fan
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import java.net.SocketException;
|
||||
import java.util.*;
|
||||
import java.security.Security;
|
||||
import java.security.cert.*;
|
||||
import java.security.cert.CertPathValidatorException.BasicReason;
|
||||
import sun.security.util.DerInputStream;
|
||||
|
||||
/**
|
||||
* KeyUsage extension plays a important rule during looking for the issuer
|
||||
* of a certificate or CRL. A certificate issuer should have the keyCertSign
|
||||
* bit set, and a CRL issuer should have the cRLSign bit set.
|
||||
*
|
||||
* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
|
||||
* as would be troublesome to find the proper CRL issuer during certificate
|
||||
* path build if the delegated CRL issuer is a self-issued certificate, for
|
||||
* it is hard to identify it from its issuer by the "issuer" field only.
|
||||
*
|
||||
* The fix of 6852744 should addresses above issue, and allow a delegated CRL
|
||||
* issuer to have keyCertSign bit set.
|
||||
*
|
||||
* In the test case, the delegated CRL issuers have cRLSign bit set only, and
|
||||
* the CAs have the keyCertSign bit set only, it is expected to work before
|
||||
* and after the bug fix of 6852744.
|
||||
*/
|
||||
public final class KeyUsageMatters {
|
||||
|
||||
// the trust anchor
|
||||
static String selfSignedCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
|
||||
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
|
||||
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
|
||||
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
|
||||
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
|
||||
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
|
||||
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
|
||||
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
|
||||
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
|
||||
"Vjw=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the sub-ca
|
||||
static String subCaCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
|
||||
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
|
||||
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
|
||||
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
|
||||
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
|
||||
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
|
||||
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
|
||||
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
|
||||
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
|
||||
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
|
||||
static String topCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
|
||||
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
|
||||
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
|
||||
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
|
||||
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
|
||||
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
|
||||
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
|
||||
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
|
||||
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
|
||||
static String subCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
|
||||
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
|
||||
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
|
||||
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
|
||||
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
|
||||
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
|
||||
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
|
||||
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
|
||||
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
|
||||
"rg==\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the target EE certificate
|
||||
static String targetCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
|
||||
"MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
|
||||
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
|
||||
"9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
|
||||
"ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
|
||||
"V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
|
||||
"pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
|
||||
"4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
|
||||
"9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
|
||||
"wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
|
||||
"Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
|
||||
static String topCrlStr =
|
||||
"-----BEGIN X509 CRL-----\n" +
|
||||
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
|
||||
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
|
||||
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
|
||||
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
|
||||
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
|
||||
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
|
||||
"-----END X509 CRL-----";
|
||||
|
||||
// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
|
||||
static String subCrlStr =
|
||||
"-----BEGIN X509 CRL-----\n" +
|
||||
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
|
||||
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
|
||||
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
|
||||
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
|
||||
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
|
||||
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
|
||||
"ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
|
||||
"-----END X509 CRL-----";
|
||||
|
||||
private static Set<TrustAnchor> generateTrustAnchors()
|
||||
throws CertificateException {
|
||||
// generate certificate from cert string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is =
|
||||
new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
Certificate selfSignedCert = cf.generateCertificate(is);
|
||||
|
||||
// generate a trust anchor
|
||||
TrustAnchor anchor =
|
||||
new TrustAnchor((X509Certificate)selfSignedCert, null);
|
||||
|
||||
return Collections.singleton(anchor);
|
||||
}
|
||||
|
||||
private static CertStore generateCertificateStore() throws Exception {
|
||||
Collection entries = new HashSet();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is;
|
||||
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
Certificate cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
// generate CRL from CRL string
|
||||
is = new ByteArrayInputStream(topCrlStr.getBytes());
|
||||
Collection mixes = cf.generateCRLs(is);
|
||||
entries.addAll(mixes);
|
||||
|
||||
is = new ByteArrayInputStream(subCrlStr.getBytes());
|
||||
mixes = cf.generateCRLs(is);
|
||||
entries.addAll(mixes);
|
||||
|
||||
return CertStore.getInstance("Collection",
|
||||
new CollectionCertStoreParameters(entries));
|
||||
}
|
||||
|
||||
private static X509CertSelector generateSelector(String name)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
byte[] extVal = target.getExtensionValue("2.5.29.14");
|
||||
if (extVal != null) {
|
||||
DerInputStream in = new DerInputStream(extVal);
|
||||
byte[] subjectKID = in.getOctetString();
|
||||
selector.setSubjectKeyIdentifier(subjectKID);
|
||||
} else {
|
||||
// unlikely to happen.
|
||||
throw new Exception("unexpected certificate: no SKID extension");
|
||||
}
|
||||
|
||||
return selector;
|
||||
}
|
||||
|
||||
private static boolean match(String name, Certificate cert)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
|
||||
return target.equals(cert);
|
||||
}
|
||||
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
|
||||
|
||||
X509CertSelector selector = generateSelector(args[0]);
|
||||
|
||||
Set<TrustAnchor> anchors = generateTrustAnchors();
|
||||
CertStore certs = generateCertificateStore();
|
||||
|
||||
|
||||
PKIXBuilderParameters params =
|
||||
new PKIXBuilderParameters(anchors, selector);
|
||||
params.addCertStore(certs);
|
||||
params.setRevocationEnabled(true);
|
||||
params.setDate(new Date(109, 5, 1)); // 2009-05-01
|
||||
Security.setProperty("ocsp.enable", "false");
|
||||
System.setProperty("com.sun.security.enableCRLDP", "true");
|
||||
|
||||
PKIXCertPathBuilderResult result =
|
||||
(PKIXCertPathBuilderResult)builder.build(params);
|
||||
|
||||
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
|
||||
throw new Exception("unexpected certificate");
|
||||
}
|
||||
}
|
||||
}
|
382
jdk/test/java/security/cert/CertPathBuilder/selfIssued/README
Normal file
382
jdk/test/java/security/cert/CertPathBuilder/selfIssued/README
Normal file
@ -0,0 +1,382 @@
|
||||
/*
|
||||
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
* have any questions.
|
||||
*/
|
||||
|
||||
Certificates and CRLs
|
||||
|
||||
The certificates and CRLs used by KeyUsageMatters.java are copied from
|
||||
test/java/security/cert/CertPathValidator/indirectCRL.
|
||||
|
||||
Here lists the local generated certificates and CRLs used in the test cases.
|
||||
|
||||
The generate.sh depends on openssl, and it should be run under ksh. The
|
||||
script will create many directories and files, please run it in a
|
||||
directory outside of JDK workspace.
|
||||
|
||||
1. root certifiate and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha
|
||||
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
|
||||
AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8
|
||||
81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7
|
||||
m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID
|
||||
AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME
|
||||
QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
|
||||
DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey
|
||||
ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj
|
||||
DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9
|
||||
v/E=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,46F13CECA9B38323
|
||||
|
||||
AVNWPH7jiPyJVq9KfL3IlGVCwD41KVapg12yJR2t/WWlLaKr19/0oWNvimcrd040
|
||||
txFKvcFO9TFLxmaco33+actCoL0K/XbrCBICThZLybzcFTuYFMum8eqL61avQgBe
|
||||
Kt4CCjcupWLzKWkKTMV/bP6nPnPUSB9U8QeGwutjJYnLDi0TuYx8YSqZo/36vM98
|
||||
r3OvtcSA5XEN4guxxHusZJnhbclVb/Z1WtLVb4v2d5yBtPM2p3R0hK17L4Dnusjl
|
||||
n56z6Z0AIYmfAggM/Fpge2uT3D/5n//l1lZRNoSvsX5UZipKswZKLpvx7IJ+AqgA
|
||||
UO9lcmNLGnIXME3IS3smd83wPi7nxH3NCYWHbGAKLm6mkFMs5LOhofUMOBS3Rxmm
|
||||
2RjCGtuzDxBPKveo9/Y80B//6sEce2gdi7fCKgWwtR4VFuJd0hWODD6CarK3edHH
|
||||
rUG62Kt2aqiI/y/NLEbfHCHbyM37c9/OzS5Zy695dDl22r5EirVFsVgejQR1JGtP
|
||||
ANdc6kkkJW+s6GiqimShssMTp1x0L8twT/+wEa38LafiaPKk4OweleBuyz7k2FxA
|
||||
Rr2u9IOvGU3eKAeH8HSFWvaNE9S2lYFPiWWZ6O/LzVvnb847+gungQ7SPRzOkt4k
|
||||
L4PtHIoKmLWFr5tzML1Q8wiaKcTWMb5LZbRbo+2XYGoIpilxkBBuhX7cMJFwOHEf
|
||||
YJJRixBI97doPsnIQ3GkA8xY+INzQ4LWNQbnEtS7L7t26NA9tDlg4ILU/UfMoQIp
|
||||
Ol4EZY1U7gD8BeMwo2vX3x/WA+a7R2N95klBFNqn9jSkm6a5yoeCZw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
|
||||
2. root crl issuer and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa
|
||||
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
|
||||
AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN
|
||||
/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3
|
||||
hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID
|
||||
AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME
|
||||
QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
|
||||
DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk
|
||||
xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0
|
||||
rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP
|
||||
G0c=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,3881A5676C1AD5E5
|
||||
|
||||
KgaAtGlIQXVnsoifcd1oTi4hS1J+InHISFcZepI1h1hrU9KVAJAlwD1GIeM2qAkG
|
||||
P1ABsA0TE0yRJpd3qHih2IPtD42osfc3HmNTw17nh4Trd3ESilrs4w/rrH8e6bR5
|
||||
WlqG0OKsw8x57t44m9yX94+pP3tdPaJwnFk5M7pDCO44IZskmy10S0NHBn7wMwM/
|
||||
mqlZ15mK6YZTwOuLzpdSDJqYPLiv77KpfeiqSN++ISXoNhIcNYHRVyErAS/DcBlx
|
||||
mbrmBaGexhuagQYqVikEDIvg8kBDWD92EjOFbz94Z6eTvliauJ/+E1/Ffefe2cN5
|
||||
LaVwuUsiyW9GjarWwBJDFrXesTikklshC9V35j/ACHVdh5CuO8FGfVijIwlbZ14N
|
||||
xKWJdSlZlJgEjkwUlWfi1KmrFrob+yK20fGMWr3oY1rTKWZdYkrqnnKEYcMQV/TH
|
||||
XNY77D5idJ3FLtvJyziqIFuohdatQsu6xFP5UEOeUi6OhptJDjjS+zDhiBlL4cqA
|
||||
klThzvuycxjZT+5xno0f8GEnZkQNcC6xxPoP6vstNMKLz1rI1CVUSXZBHc5nfMaF
|
||||
m75rrLbvf6F2NLUspaNXnW8TUMHxcu8nNCnM4/u6hkqebQo/N8X1/v1HImsewwWO
|
||||
P5uJwqmqfuRz0vZyMKAk3FzQIfrjJouxDfkNV2YHM9VP/grPlDgzmgiN0+6bCbn+
|
||||
RW2K8kvkSFZehQ1Ygdst9KYH3NEcEYVYY9pH1N1xRNAylcIDJNwrFwf9vfwjt9/q
|
||||
AVsyDxUBT/KVCcqr15LNNq9HmmcP6IZZMRjdyf2BR+/cobxxDRZq1Q==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
|
||||
3. root CRL issued by root crl issuer.
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
|
||||
ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX
|
||||
DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ
|
||||
KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1
|
||||
v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN
|
||||
GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=
|
||||
-----END X509 CRL-----
|
||||
|
||||
|
||||
4. subca certificate and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa
|
||||
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
|
||||
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X
|
||||
srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA
|
||||
+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v
|
||||
E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES
|
||||
KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
|
||||
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
|
||||
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv
|
||||
MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb
|
||||
RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP
|
||||
iil34GktVl6gfMKGzUEW/Dh8OM4=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,35408AD3018F0049
|
||||
|
||||
4t6WfpFNqpOr47Wc/OAt8+KZK0+WX7d3nlJn47W+QN7AkPfBlLBpcQJkImhP4/eh
|
||||
aJyk8fPOdUhT/4rgc5ORuKk4d9boD36KK5Iz/+/oNBxzuld6TybVb+Hvw41cIZTW
|
||||
CtkvADQpR8XWbPre+3ZH2eAKoTeWX0xR7pYg1JsFk9vxee6U82iqsAYRdUOdot8D
|
||||
9zdDbbeaLWs78UbZkxFtuXREuyNVX880Q17t8qszJL2KmmtMQpUvxTlW04Ope1Ug
|
||||
uIuOxeannzpKRD+37fj+oacM3GRqVFOP47/NVaziOexDBn4b5nlW6OMro6t0qiHt
|
||||
1GLJcw1oLXoFe8ycexfzYWUiHymSz5Vh3wIflsQY+Ik6dopL+fpk2cVD0bncKJlf
|
||||
Ie9PvL04RwannRjgtPl9X05tzcgeyznp2Ix1/rsriZQQpdPTLGA6w6kUhQeK6TwT
|
||||
eX7pXn3iLTGK+VoHRfbxBQR2Fvq1nRJbvsmJFhPOcJU5CYSaDPGGdA6NorbdVgbc
|
||||
14DlkhzojhEpZ7DaUeFNUXUMlQOR5UUTZB+wL3zQoY/FzHci3JD1Gj4NlbC9mMEg
|
||||
ncWZcpZWOnP2kHSz2o/UOxQM80gerukI7NOr020iJ+ZZRb/gyAAzLPnD+mCZ7/e2
|
||||
JJ3x6yHOtVA6WzZiQH1d9/bm79rtcWaRH83X/idG1lHuKXQJFAaw5f7Z2n2/yuF1
|
||||
9pZf7el1M7UoBf74oc68klAl46f4inroy8anAtc/qjSTXUYQrNvKZsWU9AZVS7oH
|
||||
iEuYMVW4KiZh3SHsIg5TZdMbdVYtZpcTsl/Kh6XuY0o0Xsi+rTK5AA==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
|
||||
5. crl issuer of subca, the certificate and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda
|
||||
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
|
||||
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw
|
||||
OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX
|
||||
obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG
|
||||
GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN
|
||||
xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
|
||||
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
|
||||
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh
|
||||
Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc
|
||||
pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV
|
||||
Fu987DvLmZ2GuQA9FKJsnlD9pbU=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,4CD10EAA24AF8C25
|
||||
|
||||
6pTRc9jsn6CJ2EMYhuGX3aWrDThhacnqdtsKIqUzX8Ga7Jz9kq6HseTRlqPkzBfb
|
||||
rCl+eVIkgugrPbf93375mP/ozY8LkEgD9TRAL1uXqha2N6TRLC2ozQJQSoIc441e
|
||||
UZ9XkB6tPGRfPNvi1xE0WTP7bjOUkvkPU9wM9QFuBW6B7mRf3tG2nqkFiTpY6nz8
|
||||
5X5+h9jafcCvMwYhfJm0JFTGWmX4WJWubs8QeYndvIriDDw2zpVNcno45sClSQCb
|
||||
YVekMLgGlKPmNGub5iRfXsozykE3jbMnXRokxrvzk20jjo0XYPVGfCRe9IhJh8Ud
|
||||
iCG/kPaJspbUkUlKXfvIOdp2pnoDFZI5hbfc75YrFYJ8x8dwRYBUl6yRtBkw5Yo/
|
||||
VQDuNq3d7YpxiGxVTwFox6HQ5+rs6jwSGzOilgOCxPSs41fYcdAlogNqLzjvhn+e
|
||||
0GU1XTVyMJbO0Ae6Sgm4PmxU7QM2bdzESuZWbYRFbH2ywwmoR8SahB3ICBhuIA/l
|
||||
lsCrBbq+jL/K2IL1VXBKuaKBN1ShKUPZD/ABWNv4uENNg2AFq1XQ6kvTU8Glfhd9
|
||||
tyK8YnJ0ViY4VLGhdf0s2eEPmbfxOv0HCW0sz/57eASoQSTJTdVApYopWHBOwaNq
|
||||
8qQUEPDMTKaPNqCjA2m/NwGrLPHhU0d5dHmp+9gTbCTmWy4sVenhBPbOy6wvFpNA
|
||||
F+35tJVaZQOOurm/KC2dLOYkKyAvqnB7D2q4zducpWkiyCweg7uYL14Mo5JQmGuq
|
||||
2DwfRiMxdqqoqHFKEOxsoAMrKSwJlYojUknfz/LEaqxtMePQtNwhjw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
|
||||
6. CLR issued by subca CRL issuer
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
|
||||
ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw
|
||||
ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO
|
||||
MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO
|
||||
oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe
|
||||
5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr
|
||||
N9AvUXxGxU4DruoJuFPcrCI=
|
||||
-----END X509 CRL-----
|
||||
|
||||
|
||||
7. dumca certificate and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjhaFw0yOTAzMTUxMzMyMjha
|
||||
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
|
||||
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeWn+ulgls9+dK3KzzfC1b
|
||||
a9RMSf+gjv/Olw5386Vw6pJOVngR11RytWJoLiKbjYPyGhP1cms2FoUKuAEO31gD
|
||||
3AoUCa+nXgaMLiDtmdC5ATqVv3Oap5aNgAqq0mxMxOylKgcUhfuH2icEnfBtHzEe
|
||||
ST11S69zQr5GGfa/XslbDQIDAQABo4GJMIGGMB0GA1UdDgQWBBRCmXIsp4G3iP7Z
|
||||
Qv4gS19W8W/cLzBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
|
||||
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
|
||||
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAkRiLpJesXyNQ34ZP
|
||||
Oc4d0gvCl4pyNHx5gsV0yHtxP7oYoIa7Bw4setplQ9Y2YcH5xuXK84xvAby9csWp
|
||||
cod1QOkFzZfb9qj10PXfD8bMoLOyrZfr5nsNAl2scvOtnM1TFL/ll5/S2PVcPthx
|
||||
Z5t128UNQYMu93OmVjZANL5L6Jw=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,11485599004D2482
|
||||
|
||||
R+TgUoQo1Ksqpnwh1B1x3u7jxd1qJsfG5st7WJaeJzSY3v+ZnmTS4O008eKgw6Z1
|
||||
eGJevsNW8Z8ButjChzlesCm+90jpKpOqA6MlvzeknAxtGdEfe8rUEytfNOorjJTy
|
||||
1Mu9T8Tlk6tmmmXNTDX1lQytYaHA4e4VVEbYGNceMNcPonT1Y0SyebJwtfd4XKkG
|
||||
Ty40kMnb+qrFr1ZxVRG+LWKDR/bS0S2K2zY6Ha45d8yoYZlgLZ7yVAlrp0T0PF4B
|
||||
UWvSyNK9VOBLrvqXSofK5gNGkR/C63x8FU2V25ISicBQBXLNo9OgIsbrryHF330T
|
||||
2TxhnOpFU1AwgTSfp4Fy/Htkvgo7/jmFRa3r4xelTdEUKvRrwaZeMjg0fT+24529
|
||||
8o8MMOF0YWNtIDNUVRFg9/DgAsD/LoXbOGc/E2ryJdq1D4N914s4m/D5Sox27iu4
|
||||
3op/dt+WMoA0g/YbjhWn2cAfWcH9P8p8/n/FUO8APmGI3aHbtOhJQ8qwxcalp6kO
|
||||
fICWsW4ygWtdpnyJWzAY0Udtsl8mglTppGTl59OYZmlDQTLhJ1hWiXLeNKj0pGPz
|
||||
bAJ5jGQN8zXAk83j019rI5WveAdWp+w1XRGvmPxLL3heojHrkutuYLQ0LOcFwNvg
|
||||
OqmPvZneRBoy6Yshp0XyYy+qioxDm+Vd/NV1/aCWgQXJA3vFqUg3AURLFHHTh+7h
|
||||
fa3DDCLtdg/wJkRtOWjFhq0hgx5sb9zVv8HCuMERbZJbWwDOfSrHJwXj4KaTHVqY
|
||||
OWfBE9vzeAxRpdpe69SZWYg3tyu7uSf6a5Rp55iMI3kjuQMCanvsNA==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
|
||||
8. crl issuer for dumca, the certificate and key
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICUDCCAbmgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjlaFw0yOTAzMTUxMzMyMjla
|
||||
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
|
||||
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF7NjUUWji4pPmFg3qx4HB
|
||||
kjtInwe7i2lPjRUN0ZwTcWob2RaD1+fhc7seeNmnypjERTa9TXF5cs2PgSHWNISC
|
||||
QbQpbobOUcSsV/6Lr0kvrHJuVowcX13VsApGSJavVs2oJqUiFGNpnch8yR/pMHJf
|
||||
hsd/Go+nUXMOl2xN31DMFQIDAQABo4GJMIGGMB0GA1UdDgQWBBS1XVE2CYKHgO7t
|
||||
1koYVTu2w7xgNTBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
|
||||
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
|
||||
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAHYraYtdetZFOiTUR
|
||||
dhvUi556el1WT25O8pF21YAzRI7KI4yzl6deD29DtcIPiBc8H1A4U6OhwXSQsqTd
|
||||
taOHHdZxnU+m078mb231OPVvo48uZwpnX35g/qItW+Nb/dIEb08537oQKoGgL0hV
|
||||
sKZPWod70JBkJabDuUirorhlk4A=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,1E0E5983F90A10E0
|
||||
|
||||
KdPTRmJjeKXFTgdVIgP0eu+m0evwVD2QFMkT3pPI9HELRxtkgIQzjK8F0KIHK9vi
|
||||
Ur0CMgJkX0zs2v7HIG7jvfQ2fREidRTk1g3xCjHXVbpwjWN2dbo+mR0J2zzxNILy
|
||||
mSs13PlDPdV81Vkn1WkMY0lhdrEpR6senQ4KIiMJTMsWZabG3lyFM6d7ag7CDVC+
|
||||
jnsUFg2XW5dYP/kb09p14+CdiQwruNVeVEWhWPG1pAjl7hXCEM5ssz9fNk6Gyh2X
|
||||
OXB2mMysqTkt+qB+OIqLKj3NTUs2ovVQZnaCaynsnMYTcIEFmv3lC0gJHYAZtBXf
|
||||
IkySb+VaB7wmk1CI1+texDU8+B2sq7wmqX0SLY7dMwkbxP1kydn9U5i4Gqmdxpw5
|
||||
4+jn7dB6oKfVFlXIZTZzhmN44cIdai48qVmse1BRDxUdfmlgd9C2W1mw4N60BXbt
|
||||
DeNr8ua5UtcUOXBGJk6VEJapDU/dnnANhVR4R48Y9t+g1qlhwHB4zbSrAIJ5Rsbg
|
||||
6pvdt7BQmFXtm4flZbf21Lr8awWkNFdc/k/3uXA6xemgsFNxPZXlpXO26KpIP+nz
|
||||
lt9Q82WxIkzE+BvO+qd5wMqQ/GC/ztO8GJeGdRIo6un7KkNKs2AZDoCELo2lO53B
|
||||
EBWHeABtJpB1Fw3lW3iJn0A6YbYzK1omztoNMkesBIi0QI5L/e0tq4Mp+LUjLm+Y
|
||||
ywdrofTiYTu8R7mgS1b5q3eFtwUR9MZuKJGvhsBcSfS41vH2hDezYHg8vW55UIE3
|
||||
h7EhOUnTkHY43OKZnmXHwh3pTEmHv1TfMpeaktiU/w0=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
9. end entity certificate issued by subca, Alice
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
|
||||
MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
|
||||
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
|
||||
9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/
|
||||
T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS
|
||||
1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7
|
||||
cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty
|
||||
uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG
|
||||
9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk
|
||||
yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd
|
||||
G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,9E29E1901B338431
|
||||
|
||||
796Bj4/MwwHdy6+yZQcq3pS12EZPlEm7qsCCTl787y+DYEnnj+9W4WX4+1zWsUGV
|
||||
1+39oe/KOUfi5O9ytMuKiroIrklmkskWHDoW6sr4VcDprnLYL+75AhTfgpOtY+gK
|
||||
q+++N7P2o9V6YF7PiGxaBqGy/3bt0nTu0sjctfzbo4g0PniiId9sus2Y+iRHKebJ
|
||||
r9V0b0jB8USuIsZ+4IQJFZ+/zeKuqqqPM/4v5VKNUahER8oykhRd4L9UactnVH5t
|
||||
dsfowtHmOmKE6ObJX3m+HgJMvauMMf7zJVdqJquU2vy0bUk9ufCrA7t5ws7JDRzd
|
||||
SG5gt7EVQzd5x/yXsQdKbDew5mXsYPB8vz4moTgj4YJU+m6k0t1PH00pz7LUrDHl
|
||||
E8ZAmXIKLEBIih1AWkdASR/YZsfB3URIC8mLyDSZJN5iEVJxl/JWm6pbJlP3Xn3J
|
||||
fraVEXP6uerf29CNhizq520AfGdsSqga6atdx6PXBVm67V0TZ+zmBMUQJrWmJUUC
|
||||
NFGAac+M58lYX9uwsrO9x/x6GSZvhQQu1kfD1m8DHN3IV5m3uHxsEvhmuHaqFEMJ
|
||||
uH336HbqWYENXwZfDHZvOU1o2FejsLZ7QmFjB72iAxhVNQt53pCXed2gF/bERGSn
|
||||
qi0PsYtjyzfEUefqlVRSWVulbQfGwkvl8dX9s6BxmOG1q0BzlDu+cQLYXPS+XOww
|
||||
H8GgkGp6XTd04qT/qCm8gcuxAvdkYkj2zgAIKaqeJ53S3Ua9lrIKnA3L3btiEG5F
|
||||
JTYutSdRqB4liukkB1TciiDVSmOisszjrMHhRRYPfgeLfnRFdX9U9g==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
10. end entity certificate issued by subca, Bob
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
|
||||
MzVaFw0yOTAzMTUxMzMyMzVaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
|
||||
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
|
||||
AQEBBQADgY0AMIGJAoGBALLrxd3DpXuH7yiAoyi/Rc1F7WsyyeNE1Ra2ymHpcee/
|
||||
3sbldekcgPl6lGQF/JJ5ARBbfeDtaf6ZtAK3j6aXqxVFxDKKu86r96v74gWJB7Vv
|
||||
CHcUPvmE/EGESq3VNFI998DbmvqICLC97nFLUIrKWDH1rRFZjjkmouln40UxQXvV
|
||||
AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUTXz1J2viNSKvRHIRVhD6
|
||||
cJE4lgYwHwYDVR0jBBgwFoAUYnQvA7d3Qc2BEiqUdrUeetLGdPswDQYJKoZIhvcN
|
||||
AQEEBQADgYEApsKyLf4FbXb26KsQrxgFn/w0d/7ck4cE8a6oXQqi5OLheNSWfD3S
|
||||
fgD1dR28mGmhBiyOkdLmrhA1+6BuEr4FsuyLgrFnEqKL0ZhVhiqvwKLGqvasWxfU
|
||||
Edaw4WXvRcfRWXfgjtwB6PSj/3nqGKSGRPif/OFIjO6UqHwEM7JEWO4=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,4A820975D251613F
|
||||
|
||||
GseD8MIztC0oYMxwpxeBO4/YPs9ZFFjgncXXcy+1oYZdlEsrS1xw87unjeHigL8m
|
||||
QPIn8Guv3DiOsBdvweuMAgPPaA1zlophPClbGZMk7BB3T2acEfjBQH1DZz7kd7Bf
|
||||
OmI2DrqcEg1yDi7l7YutBuTQPiy3nj3d7pbScuFd5YVMu6yH0YpS7JsPvviabFk2
|
||||
eYVlkaiejtQwV+4rUb7sH/0iyqX2uqvnpnGAwVzGp+tfSOl71SByz240nOODBRgY
|
||||
3Uvxkrw6XhCBAayJE0t7rkPMEe1KgZaGO2IU2jsJJbyHVjvNPSugdbsT28prZHN1
|
||||
5M1J1NSOssq/kAq6S3f9sC5j7OzP7oUlx8uMUUSaz09/Ttq22tUoqmTue2IqqxAt
|
||||
lDaeR8duHP5VV1wWnDsW/XaVYlBFQ4eFPJcXqmWsNAkDQVJp327GrcT6ngevP8fD
|
||||
BcIxyX6J0rETPruAE+1+PAGjqy+C+oB0ssyZvKcjzdajHcNxSlRpCuOO2ekDvNPO
|
||||
h+mVukNpHCEBsh3jYmk3z9i7VPLCM0BI+vheJ1TbM+homWP6bXyTQxtLfaKzXZJH
|
||||
jRJ+zGTMBNJoPVKkou03uXFpT6hdWr9nYwbMT6G9hmC0If3wEl8nRjDKbmyMS29B
|
||||
p3im1kPxVJA0DjhghC+7tACy42ffw6KZPALwaVDKHGeitrQBc3xTGfrjOGQOTTcm
|
||||
hZ8icYCY0cjl5KQ2kq2GpXa2zQMujNV/Oj7D4sE0xcASMRXl3tst77R/j0eowx1M
|
||||
niCTRphxx4iTPkieIbjWWeFTpVmSzUBrm4hSw3tiRapVWf6Zo3aAIg==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
11. end entity certificate issued by subca, Susan
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
|
||||
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
|
||||
MzZaFw0yOTAzMTUxMzMyMzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
|
||||
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
|
||||
9w0BAQEFAAOBjQAwgYkCgYEAr2u6mdjqAVtfcgPze+9OUFZu3pi+HqoNBoygm2gq
|
||||
qRAe+FVNSUeNAMQesQBo/eB0F1Iv/BjnYJ/7pYMLaf90MLoYr0Q5vNKYlBdcyUee
|
||||
Jn1WmfN2Qk+UoUaiM4HAKHNJnZk13vWpZW54mcW1q09oj0oMjAZtaZsqpY6CtW6/
|
||||
+J8CAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBQVK9naug5W9pQlBqD2
|
||||
fVaCXooa1TAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG
|
||||
9w0BAQQFAAOBgQDKYoM8EbP78ucjtsdvw4ywyo21hhSeP9PmRnNz/U3F9sQATmn+
|
||||
QBl6sBsrmbML2yrhkM1ctZTVUVp0S72fAbLgVjNk86p/CF+a2tmi0+lJh1aR7zQi
|
||||
opt+68Nec2/52kgWi64ruF7YITmGHBxS/RDooFbscZbdrPgcow/Jw+5HnQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,9025CDB2AB43B0DE
|
||||
|
||||
q4hvYnqkhDSDCsbXfxtMjPvzT38ql5wscOsGwDM/xMANSyPk9h/aqAxvB8G+8v6E
|
||||
63x9Q5jRi2YY6z2sOpvu0utu7Xn6KA/H1YrpYFURTEjBbK2Qd41vPQ/NYcIO3nQd
|
||||
PR2Qm3kpNumBSZomyNfJk9oegGxfw+P0af2GIb6YqmTDot+LLCLwpqxrGyQQ1LYp
|
||||
zc4A9D/b19Y0eD+TU9S2KEYszvfUo7RBxRFSZ6QN1rT2SEa7IJN9wb6TvgeB2lRB
|
||||
Ds90tmLtkbuwLTZre+aqbM8mU40+RI9GHh+mPw0Qz55Kw2CUe+PnGsLQnOTm7p/I
|
||||
mLiPTNMJKvwaR18Z88IE9UwL0zE/ND7vZfrhqTn9bHRnzHU4NtBCBsS8zloI+rXZ
|
||||
EIWKMDyzMH3wpbNYq/AemSvvUz1wGOxit5TjG2QwwCNt8hPLl0Es6Q5aWdAPPrLM
|
||||
EfX/6gL7bLTHNyLPz/U32o0H4hz5J7FQ7SuYUPLI3ybiPC2qL11jbtrZMesAYEAX
|
||||
mvRnqO+6dPEpwGmKz8kUj2mC8X8FPKCCiy4kbc8NjLTMao+/vOgD+wBuIePaC3yE
|
||||
vpuZrsUSFZWRJ824sDMmmZFoi2DKsp1zqCV1kXozaPGigaOxtkdp890nBcGkPijQ
|
||||
8F+jCGwSFda6UfuJHCQ/eJB+8LQUWa8u1TeJ9zo98oD2OBfQ5maZU0Vfv1EXvwbp
|
||||
pz2R6HXFaPrQDeGO0xVzD453AbY/fZCGnhIwrEYvPAbwpIKde397MP66gYFMNFhA
|
||||
IaMimFnBv7IHL08Ka0KtqbVhLpEKWFpZ6LsOnyispeB4KF0md+lpGg==
|
||||
-----END RSA PRIVATE KEY-----
|
@ -0,0 +1,309 @@
|
||||
/*
|
||||
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License version 2 only, as
|
||||
* published by the Free Software Foundation.
|
||||
*
|
||||
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
* version 2 for more details (a copy is included in the LICENSE file that
|
||||
* accompanied this code).
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License version
|
||||
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
*
|
||||
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
* have any questions.
|
||||
*/
|
||||
|
||||
/**
|
||||
* @test
|
||||
* @bug 6852744
|
||||
* @summary PIT b61: PKI test suite fails because self signed certificates
|
||||
* are being rejected
|
||||
* @run main/othervm StatusLoopDependency subca
|
||||
* @run main/othervm StatusLoopDependency subci
|
||||
* @run main/othervm StatusLoopDependency alice
|
||||
* @author Xuelei Fan
|
||||
*/
|
||||
|
||||
import java.io.*;
|
||||
import java.net.SocketException;
|
||||
import java.util.*;
|
||||
import java.security.Security;
|
||||
import java.security.cert.*;
|
||||
import java.security.cert.CertPathValidatorException.BasicReason;
|
||||
import sun.security.util.DerInputStream;
|
||||
|
||||
/**
|
||||
* KeyUsage extension plays a important rule during looking for the issuer
|
||||
* of a certificate or CRL. A certificate issuer should have the keyCertSign
|
||||
* bit set, and a CRL issuer should have the cRLSign bit set.
|
||||
*
|
||||
* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
|
||||
* as would be troublesome to find the proper CRL issuer during certificate
|
||||
* path build if the delegated CRL issuer is a self-issued certificate, for
|
||||
* it is hard to identify it from its issuer by the "issuer" field only.
|
||||
*
|
||||
* In the test case, the delegated CRL issuers have keyCertSign bit set, and
|
||||
* the CAs have the cRLSign bit set also. If we cannot identify the delegated
|
||||
* CRL issuer from its issuer, there is a potential loop to find the correct
|
||||
* CRL.
|
||||
*
|
||||
* And when revocation enabled, needs to check the status of the delegated
|
||||
* CRL issuers. If the delegated CRL issuer issues itself status, there is
|
||||
* a potential loop to verify the CRL and check the status of delegated CRL
|
||||
* issuer.
|
||||
*
|
||||
* The fix of 6852744 should addresses above issues.
|
||||
*/
|
||||
public final class StatusLoopDependency {
|
||||
|
||||
// the trust anchor
|
||||
static String selfSignedCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +
|
||||
"81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +
|
||||
"m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +
|
||||
"AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +
|
||||
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
|
||||
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
|
||||
"DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +
|
||||
"ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +
|
||||
"DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +
|
||||
"v/E=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the sub-ca
|
||||
static String subCaCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +
|
||||
"srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +
|
||||
"+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +
|
||||
"E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +
|
||||
"KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
|
||||
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
|
||||
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +
|
||||
"MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +
|
||||
"RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +
|
||||
"iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
|
||||
static String topCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +
|
||||
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
|
||||
"AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +
|
||||
"/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +
|
||||
"hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +
|
||||
"AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +
|
||||
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
|
||||
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
|
||||
"DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +
|
||||
"xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +
|
||||
"rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +
|
||||
"G0c=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
|
||||
static String subCrlIssuerCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +
|
||||
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
|
||||
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +
|
||||
"OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +
|
||||
"obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +
|
||||
"GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +
|
||||
"xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
|
||||
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
|
||||
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +
|
||||
"Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +
|
||||
"pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +
|
||||
"Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// the target EE certificate
|
||||
static String targetCertStr =
|
||||
"-----BEGIN CERTIFICATE-----\n" +
|
||||
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
|
||||
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +
|
||||
"MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
|
||||
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
|
||||
"9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +
|
||||
"T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +
|
||||
"1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +
|
||||
"cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +
|
||||
"uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +
|
||||
"9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +
|
||||
"yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +
|
||||
"G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +
|
||||
"-----END CERTIFICATE-----";
|
||||
|
||||
// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
|
||||
static String topCrlStr =
|
||||
"-----BEGIN X509 CRL-----\n" +
|
||||
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
|
||||
"ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX\n" +
|
||||
"DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ\n" +
|
||||
"KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1\n" +
|
||||
"v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN\n" +
|
||||
"GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=\n" +
|
||||
"-----END X509 CRL-----";
|
||||
|
||||
// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
|
||||
static String subCrlStr =
|
||||
"-----BEGIN X509 CRL-----\n" +
|
||||
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
|
||||
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw\n" +
|
||||
"ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO\n" +
|
||||
"MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO\n" +
|
||||
"oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe\n" +
|
||||
"5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr\n" +
|
||||
"N9AvUXxGxU4DruoJuFPcrCI=\n" +
|
||||
"-----END X509 CRL-----";
|
||||
|
||||
private static Set<TrustAnchor> generateTrustAnchors()
|
||||
throws CertificateException {
|
||||
// generate certificate from cert string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is =
|
||||
new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
Certificate selfSignedCert = cf.generateCertificate(is);
|
||||
|
||||
// generate a trust anchor
|
||||
TrustAnchor anchor =
|
||||
new TrustAnchor((X509Certificate)selfSignedCert, null);
|
||||
|
||||
return Collections.singleton(anchor);
|
||||
}
|
||||
|
||||
private static CertStore generateCertificateStore() throws Exception {
|
||||
Collection entries = new HashSet();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
|
||||
ByteArrayInputStream is;
|
||||
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
Certificate cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
cert = cf.generateCertificate(is);
|
||||
entries.add(cert);
|
||||
|
||||
// generate CRL from CRL string
|
||||
is = new ByteArrayInputStream(topCrlStr.getBytes());
|
||||
Collection mixes = cf.generateCRLs(is);
|
||||
entries.addAll(mixes);
|
||||
|
||||
is = new ByteArrayInputStream(subCrlStr.getBytes());
|
||||
mixes = cf.generateCRLs(is);
|
||||
entries.addAll(mixes);
|
||||
|
||||
return CertStore.getInstance("Collection",
|
||||
new CollectionCertStoreParameters(entries));
|
||||
}
|
||||
|
||||
private static X509CertSelector generateSelector(String name)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
byte[] extVal = target.getExtensionValue("2.5.29.14");
|
||||
if (extVal != null) {
|
||||
DerInputStream in = new DerInputStream(extVal);
|
||||
byte[] subjectKID = in.getOctetString();
|
||||
selector.setSubjectKeyIdentifier(subjectKID);
|
||||
} else {
|
||||
// unlikely to happen.
|
||||
throw new Exception("unexpected certificate: no SKID extension");
|
||||
}
|
||||
|
||||
return selector;
|
||||
}
|
||||
|
||||
private static boolean match(String name, Certificate cert)
|
||||
throws Exception {
|
||||
X509CertSelector selector = new X509CertSelector();
|
||||
|
||||
// generate certificate from certificate string
|
||||
CertificateFactory cf = CertificateFactory.getInstance("X.509");
|
||||
ByteArrayInputStream is = null;
|
||||
if (name.equals("subca")) {
|
||||
is = new ByteArrayInputStream(subCaCertStr.getBytes());
|
||||
} else if (name.equals("subci")) {
|
||||
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
|
||||
} else {
|
||||
is = new ByteArrayInputStream(targetCertStr.getBytes());
|
||||
}
|
||||
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
|
||||
|
||||
return target.equals(cert);
|
||||
}
|
||||
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
|
||||
|
||||
X509CertSelector selector = generateSelector(args[0]);
|
||||
|
||||
Set<TrustAnchor> anchors = generateTrustAnchors();
|
||||
CertStore certs = generateCertificateStore();
|
||||
|
||||
|
||||
PKIXBuilderParameters params =
|
||||
new PKIXBuilderParameters(anchors, selector);
|
||||
params.addCertStore(certs);
|
||||
params.setRevocationEnabled(true);
|
||||
params.setDate(new Date(109, 7, 1)); // 2009-07-01
|
||||
Security.setProperty("ocsp.enable", "false");
|
||||
System.setProperty("com.sun.security.enableCRLDP", "true");
|
||||
|
||||
PKIXCertPathBuilderResult result =
|
||||
(PKIXCertPathBuilderResult)builder.build(params);
|
||||
|
||||
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
|
||||
throw new Exception("unexpected certificate");
|
||||
}
|
||||
}
|
||||
}
|
@ -0,0 +1,221 @@
|
||||
#
|
||||
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
#
|
||||
# This code is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License version 2 only, as
|
||||
# published by the Free Software Foundation. Sun designates this
|
||||
# particular file as subject to the "Classpath" exception as provided
|
||||
# by Sun in the LICENSE file that accompanied this code.
|
||||
#
|
||||
# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
# version 2 for more details (a copy is included in the LICENSE file that
|
||||
# accompanied this code).
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License version
|
||||
# 2 along with this work; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
# CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
# have any questions.
|
||||
#
|
||||
|
||||
#!/bin/ksh
|
||||
#
|
||||
# needs ksh to run the script.
|
||||
|
||||
# generate a self-signed root certificate
|
||||
if [ ! -f root/root_cert.pem ]; then
|
||||
if [ ! -d root ]; then
|
||||
mkdir root
|
||||
fi
|
||||
|
||||
openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
|
||||
-out root/root_cert.pem -subj "/C=US/O=Example" \
|
||||
-config openssl.cnf -reqexts cert_issuer -days 7650 \
|
||||
-passin pass:passphrase -passout pass:passphrase
|
||||
fi
|
||||
|
||||
# generate a sele-issued root crl issuer certificate
|
||||
if [ ! -f root/top_crlissuer_cert.pem ]; then
|
||||
if [ ! -d root ]; then
|
||||
mkdir root
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
|
||||
-out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
|
||||
-passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
|
||||
-extensions crl_issuer -CA root/root_cert.pem \
|
||||
-CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
|
||||
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
# generate subca cert issuer and crl iuuser certificates
|
||||
if [ ! -f subca/subca_cert.pem ]; then
|
||||
if [ ! -d subca ]; then
|
||||
mkdir subca
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
|
||||
-out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
|
||||
-days 7650 -passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
|
||||
-extensions cert_issuer -CA root/root_cert.pem \
|
||||
-CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
|
||||
-CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
|
||||
-out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
|
||||
-days 7650 -passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
|
||||
-extensions crl_issuer -CA root/root_cert.pem \
|
||||
-CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
|
||||
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
# generate dumca cert issuer and crl iuuser certificates
|
||||
if [ ! -f dumca/dumca_cert.pem ]; then
|
||||
if [ ! -d sumca ]; then
|
||||
mkdir dumca
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
|
||||
-out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
|
||||
-days 7650 -passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
|
||||
-extensions cert_issuer -CA root/root_cert.pem \
|
||||
-CAkey root/root_key.pem -out dumca/dumca_cert.pem \
|
||||
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
|
||||
-passin pass:passphrase
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
|
||||
-out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
|
||||
-days 7650 -passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
|
||||
-extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
|
||||
-CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
|
||||
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
# generate certifiacte for Alice
|
||||
if [ ! -f subca/alice/alice_cert.pem ]; then
|
||||
if [ ! -d subca/alice ]; then
|
||||
mkdir -p subca/alice
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
|
||||
-out subca/alice/alice_req.pem \
|
||||
-subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
|
||||
-passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in subca/alice/alice_req.pem \
|
||||
-extfile openssl.cnf -extensions ee_of_subca \
|
||||
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
|
||||
-out subca/alice/alice_cert.pem -CAcreateserial \
|
||||
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
|
||||
fi
|
||||
|
||||
# generate certifiacte for Bob
|
||||
if [ ! -f subca/bob/bob_cert.pem ]; then
|
||||
if [ ! -d subca/bob ]; then
|
||||
mkdir -p subca/bob
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
|
||||
-out subca/bob/bob_req.pem \
|
||||
-subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
|
||||
-passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in subca/bob/bob_req.pem \
|
||||
-extfile openssl.cnf -extensions ee_of_subca \
|
||||
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
|
||||
-out subca/bob/bob_cert.pem -CAcreateserial \
|
||||
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
|
||||
fi
|
||||
|
||||
# generate certifiacte for Susan
|
||||
if [ ! -f subca/susan/susan_cert.pem ]; then
|
||||
if [ ! -d subca/susan ]; then
|
||||
mkdir -p subca/susan
|
||||
fi
|
||||
|
||||
openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
|
||||
-out subca/susan/susan_req.pem \
|
||||
-subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
|
||||
-passin pass:passphrase -passout pass:passphrase
|
||||
|
||||
openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
|
||||
-extensions ee_of_subca -CA subca/subca_cert.pem \
|
||||
-CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
|
||||
-CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
|
||||
# generate the top CRL
|
||||
if [ ! -f root/top_crl.pem ]; then
|
||||
if [ ! -d root ]; then
|
||||
mkdir root
|
||||
fi
|
||||
|
||||
if [ ! -f root/index.txt ]; then
|
||||
touch root/index.txt
|
||||
echo 00 > root/crlnumber
|
||||
fi
|
||||
|
||||
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
|
||||
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
|
||||
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
# revoke dumca
|
||||
openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
|
||||
-name ca_top -crl_reason superseded \
|
||||
-keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
|
||||
-passin pass:passphrase
|
||||
|
||||
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
|
||||
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
|
||||
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
|
||||
-passin pass:passphrase
|
||||
|
||||
# revoke for subca
|
||||
if [ ! -f subca/subca_crl.pem ]; then
|
||||
if [ ! -d subca ]; then
|
||||
mkdir subca
|
||||
fi
|
||||
|
||||
if [ ! -f subca/index.txt ]; then
|
||||
touch subca/index.txt
|
||||
echo 00 > subca/crlnumber
|
||||
fi
|
||||
|
||||
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
|
||||
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
|
||||
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
|
||||
-passin pass:passphrase
|
||||
fi
|
||||
|
||||
# revoke susan
|
||||
openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
|
||||
-name ca_subca -crl_reason superseded \
|
||||
-keyfile subca/subca_crlissuer_key.pem \
|
||||
-cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
|
||||
|
||||
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
|
||||
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
|
||||
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
|
||||
-passin pass:passphrase
|
@ -0,0 +1,205 @@
|
||||
#
|
||||
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
#
|
||||
# This code is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License version 2 only, as
|
||||
# published by the Free Software Foundation. Sun designates this
|
||||
# particular file as subject to the "Classpath" exception as provided
|
||||
# by Sun in the LICENSE file that accompanied this code.
|
||||
#
|
||||
# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
# version 2 for more details (a copy is included in the LICENSE file that
|
||||
# accompanied this code).
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License version
|
||||
# 2 along with this work; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
#
|
||||
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||
# CA 95054 USA or visit www.sun.com if you need additional information or
|
||||
# have any questions.
|
||||
#
|
||||
|
||||
#
|
||||
# OpenSSL configuration file.
|
||||
#
|
||||
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
[ ca ]
|
||||
default_ca = CA_default
|
||||
|
||||
[ CA_default ]
|
||||
dir = ./top
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
unique_subject = no
|
||||
new_certs_dir = $dir/newcerts
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crlnumber = $dir/crlnumber
|
||||
crl = $dir/crl.pem
|
||||
private_key = $dir/private/cakey.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
x509_extensions = v3_ca
|
||||
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
|
||||
default_days = 7650
|
||||
default_crl_days = 30
|
||||
default_md = sha1
|
||||
preserve = no
|
||||
|
||||
policy = policy_anything
|
||||
|
||||
[ ca_top ]
|
||||
dir = ./root
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
unique_subject = no
|
||||
new_certs_dir = $dir/newcerts
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crlnumber = $dir/crlnumber
|
||||
crl = $dir/crl.pem
|
||||
private_key = $dir/private/cakey.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
|
||||
x509_extensions = v3_ca
|
||||
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
|
||||
default_days = 7650
|
||||
default_crl_days = 30
|
||||
default_md = sha1
|
||||
preserve = no
|
||||
|
||||
policy = policy_anything
|
||||
|
||||
[ ca_subca ]
|
||||
dir = ./subca
|
||||
certs = $dir/certs
|
||||
crl_dir = $dir/crl
|
||||
database = $dir/index.txt
|
||||
unique_subject = no
|
||||
new_certs_dir = $dir/newcerts
|
||||
|
||||
certificate = $dir/cacert.pem
|
||||
serial = $dir/serial
|
||||
crlnumber = $dir/crlnumber
|
||||
crl = $dir/crl.pem
|
||||
private_key = $dir/private/cakey.pem
|
||||
RANDFILE = $dir/private/.rand
|
||||
|
||||
x509_extensions = usr_cert
|
||||
|
||||
name_opt = ca_default
|
||||
cert_opt = ca_default
|
||||
|
||||
default_days = 7650
|
||||
default_crl_days = 30
|
||||
default_md = sha1
|
||||
preserve = no
|
||||
|
||||
policy = policy_anything
|
||||
|
||||
[ policy_match ]
|
||||
countryName = match
|
||||
stateOrProvinceName = match
|
||||
organizationName = match
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ policy_anything ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
localityName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
|
||||
[ req ]
|
||||
default_bits = 1024
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
x509_extensions = v3_ca
|
||||
|
||||
string_mask = nombstr
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
countryName_default = NO
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
stateOrProvinceName_default = A-State
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
0.organizationName_default = Internet Widgits Pty Ltd
|
||||
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
|
||||
commonName = Common Name (eg, YOUR name)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
||||
emailAddress_max = 64
|
||||
|
||||
[ req_attributes ]
|
||||
challengePassword = A challenge password
|
||||
challengePassword_min = 4
|
||||
challengePassword_max = 20
|
||||
unstructuredName = An optional company name
|
||||
|
||||
[ usr_cert ]
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
|
||||
[ v3_req ]
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true
|
||||
|
||||
[ v3_ca ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = keyCertSign, cRLSign
|
||||
|
||||
[ cert_issuer ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = keyCertSign, cRLSign
|
||||
|
||||
[ crl_issuer ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
basicConstraints = critical,CA:true
|
||||
keyUsage = keyCertSign, cRLSign
|
||||
|
||||
|
||||
[ crl_ext ]
|
||||
authorityKeyIdentifier = keyid:always,issuer:always
|
||||
|
||||
[ ee_of_subca ]
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
|
||||
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
Loading…
x
Reference in New Issue
Block a user