stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

6852744: PIT b61: PKI test suite fails because self signed certificates are beingrejected

Browse Source 
Make the builder aware of SKID/AKID, break the internal circular dependences

Reviewed-by: mullan
This commit is contained in:
Xue-Lei Andrew Fan 2009-07-10 17:27:13 +08:00
parent 40a7ea7c9c
commit 5ba2fd7d33
8 changed files with 1940 additions and 12 deletions
jdk
src/share/classes/sun/security/provider/certpath
DistributionPointFetcher.javaForwardBuilder.java
test/java/security/cert/CertPathBuilder/selfIssued
DisableRevocation.javaKeyUsageMatters.javaREADMEStatusLoopDependency.javagenerate.shopenssl.cnf

92
jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -34,6 +34,7 @@ import javax.security.auth.x500.X500Principal;
import sun.security.action.GetPropertyAction; import sun.security.action.GetPropertyAction;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.DerOutputStream;
import sun.security.x509.*; import sun.security.x509.*;
/** /**
@ -333,7 +334,15 @@ class DistributionPointFetcher {
if (match == false) { if (match == false) {
return false; return false;
} }
// we accept the case that a CRL issuer provide status
// information for itself.
if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
// reset the public key used to verify the CRL's signature
prevKey = certImpl.getPublicKey();
} else {
indirectCRL = true; indirectCRL = true;
}
} else if (crlIssuer.equals(certIssuer) == false) { } else if (crlIssuer.equals(certIssuer) == false) {
if (debug != null) { if (debug != null) {
debug.println("crl issuer does not equal cert issuer"); debug.println("crl issuer does not equal cert issuer");
@ -347,9 +356,16 @@ class DistributionPointFetcher {
PKIXExtensions.AuthorityKey_Id.toString()); PKIXExtensions.AuthorityKey_Id.toString());
if (!Arrays.equals(certAKID, crlAKID)) { if (!Arrays.equals(certAKID, crlAKID)) {
// we accept the case that a CRL issuer provide status
// information for itself.
if (ForwardBuilder.issues(certImpl, crlImpl, provider)) {
// reset the public key used to verify the CRL's signature
prevKey = certImpl.getPublicKey();
} else {
indirectCRL = true; indirectCRL = true;
} }
} }
}
if (!indirectCRL && !signFlag) { if (!indirectCRL && !signFlag) {
// cert's key cannot be used to verify the CRL // cert's key cannot be used to verify the CRL
@ -542,10 +558,80 @@ class DistributionPointFetcher {
certSel.setSubject(crlIssuer.asX500Principal()); certSel.setSubject(crlIssuer.asX500Principal());
boolean[] crlSign = {false,false,false,false,false,false,true}; boolean[] crlSign = {false,false,false,false,false,false,true};
certSel.setKeyUsage(crlSign); certSel.setKeyUsage(crlSign);
// Currently by default, forward builder does not enable
// subject/authority key identifier identifying for target
// certificate, instead, it only compares the CRL issuer and
// the target certificate subject. If the certificate of the
// delegated CRL issuer is a self-issued certificate, the
// builder is unable to find the proper CRL issuer by issuer
// name only, there is a potential dead loop on finding the
// proper issuer. It is of great help to narrow the target
// scope down to aware of authority key identifiers in the
// selector, for the purposes of breaking the dead loop.
AuthorityKeyIdentifierExtension akidext =
crlImpl.getAuthKeyIdExtension();
if (akidext != null) {
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
if (akid != null) {
DerOutputStream derout = new DerOutputStream();
derout.putOctetString(akid.getIdentifier());
certSel.setSubjectKeyIdentifier(derout.toByteArray());
}
SerialNumber asn =
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
if (asn != null) {
certSel.setSerialNumber(asn.getNumber());
}
// the subject criterion will be set by builder automatically.
}
// by far, we have validated the previous certificate, we can
// trust it during validating the CRL issuer.
// Except the performance improvement, another benefit is to break
// the dead loop while looking for the issuer back and forth
// between the delegated self-issued certificate and its issuer.
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
if (anchor != null) {
trustAnchors.add(anchor);
}
if (prevKey != null) {
// if the previous key is of the anchor, don't bother to
// duplicate the trust.
boolean duplicated = false;
PublicKey publicKey = prevKey;
X500Principal principal = certImpl.getIssuerX500Principal();
if (anchor != null) {
X509Certificate trustedCert = anchor.getTrustedCert();
X500Principal trustedPrincipal;
PublicKey trustedPublicKey;
if (trustedCert != null) {
trustedPrincipal = trustedCert.getSubjectX500Principal();
trustedPublicKey = trustedCert.getPublicKey();
} else {
trustedPrincipal = anchor.getCA();
trustedPublicKey = anchor.getCAPublicKey();
}
if (principal.equals(trustedPrincipal) &&
publicKey.equals(trustedPublicKey)) {
duplicated = true;
}
}
if (!duplicated) {
TrustAnchor temporary =
new TrustAnchor(principal, publicKey, null);
trustAnchors.add(temporary);
}
}
PKIXBuilderParameters params = null; PKIXBuilderParameters params = null;
try { try {
params = new PKIXBuilderParameters params = new PKIXBuilderParameters(trustAnchors, certSel);
(Collections.singleton(anchor), certSel);
} catch (InvalidAlgorithmParameterException iape) { } catch (InvalidAlgorithmParameterException iape) {
throw new CRLException(iape); throw new CRLException(iape);
} }

174
jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java

@ -1,5 +1,5 @@
/* /*
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved. * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -30,6 +30,7 @@ import java.util.*;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException; import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXReason; import java.security.cert.PKIXReason;
@ -43,12 +44,22 @@ import java.security.cert.X509CertSelector;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.DerOutputStream;
import sun.security.x509.AccessDescription; import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension; import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.PKIXExtensions; import sun.security.x509.PKIXExtensions;
import sun.security.x509.PolicyMappingsExtension; import sun.security.x509.PolicyMappingsExtension;
import sun.security.x509.X500Name; import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.AuthorityKeyIdentifierExtension;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.SubjectKeyIdentifierExtension;
import sun.security.x509.SerialNumber;
import sun.security.x509.GeneralNames;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNameInterface;
import java.math.BigInteger;
/** /**
* This class represents a forward builder, which is able to retrieve * This class represents a forward builder, which is able to retrieve
@ -237,7 +248,7 @@ class ForwardBuilder extends Builder {
} else { } else {
if (caSelector == null) { if (caSelector == null) {
caSelector = new X509CertSelector(); caSelector = new AdaptableX509CertSelector();
/* /*
* Match on certificate validity date. * Match on certificate validity date.
@ -269,6 +280,29 @@ class ForwardBuilder extends Builder {
* at least as many CA certs that have already been traversed * at least as many CA certs that have already been traversed
*/ */
caSelector.setBasicConstraints(currentState.traversedCACerts); caSelector.setBasicConstraints(currentState.traversedCACerts);
/*
* Facilitate certification path construction with authority
* key identifier and subject key identifier.
*/
AuthorityKeyIdentifierExtension akidext =
currentState.cert.getAuthorityKeyIdentifierExtension();
if (akidext != null) {
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
if (akid != null) {
DerOutputStream derout = new DerOutputStream();
derout.putOctetString(akid.getIdentifier());
caSelector.setSubjectKeyIdentifier(derout.toByteArray());
}
SerialNumber asn =
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
if (asn != null) {
caSelector.setSerialNumber(asn.getNumber());
}
// the subject criterion was set previously.
}
sel = caSelector; sel = caSelector;
} }
@ -817,14 +851,26 @@ class ForwardBuilder extends Builder {
} else { } else {
continue; continue;
} }
} else {
X500Principal principal = anchor.getCA();
java.security.PublicKey publicKey = anchor.getCAPublicKey();
if (principal != null && publicKey != null &&
principal.equals(cert.getSubjectX500Principal())) {
if (publicKey.equals(cert.getPublicKey())) {
// the cert itself is a trust anchor
this.trustAnchor = anchor;
return true;
}
// else, it is a self-issued certificate of the anchor
} }
X500Principal trustedCAName = anchor.getCA(); // Check subject/issuer name chaining
if (principal == null ||
/* Check subject/issuer name chaining */ !principal.equals(cert.getIssuerX500Principal())) {
if (!trustedCAName.equals(cert.getIssuerX500Principal())) {
continue; continue;
} }
}
/* Check revocation if it is enabled */ /* Check revocation if it is enabled */
if (buildParams.isRevocationEnabled()) { if (buildParams.isRevocationEnabled()) {
@ -890,4 +936,120 @@ class ForwardBuilder extends Builder {
void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) { void removeFinalCertFromPath(LinkedList<X509Certificate> certPathList) {
certPathList.removeFirst(); certPathList.removeFirst();
} }
/** Verifies whether a CRL is issued by a certain certificate
*
* @param cert the certificate
* @param crl the CRL to be verified
* @param provider the name of the signature provider
*/
static boolean issues(X509CertImpl cert, X509CRLImpl crl, String provider)
throws IOException {
boolean kidmatched = false;
// check certificate's key usage
boolean[] usages = cert.getKeyUsage();
if (usages != null && !usages[6]) {
return false;
}
// check certificate's SKID and CRL's AKID
AuthorityKeyIdentifierExtension akidext = crl.getAuthKeyIdExtension();
if (akidext != null) {
// the highest priority, matching KID
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
if (akid != null) {
SubjectKeyIdentifierExtension skidext =
cert.getSubjectKeyIdentifierExtension();
if (skidext != null) {
KeyIdentifier skid =
(KeyIdentifier)skidext.get(skidext.KEY_ID);
if (!akid.equals(skid)) {
return false;
}
kidmatched = true;
}
// conservatively, in case of X509 V1 certificate,
// does return false here if no SKID extension.
}
// the medium priority, matching issuer name/serial number
SerialNumber asn = (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
GeneralNames anames = (GeneralNames)akidext.get(akidext.AUTH_NAME);
if (asn != null && anames != null) {
X500Name subject = (X500Name)cert.getSubjectDN();
BigInteger serial = cert.getSerialNumber();
if (serial != null && subject != null) {
if (serial.equals(asn.getNumber())) {
return false;
}
for (GeneralName name : anames.names()) {
GeneralNameInterface gni = name.getName();
if (subject.equals(gni)) {
return true;
}
}
}
return false;
}
if (kidmatched) {
return true;
}
}
// the last priority, verify the CRL signature with the cert.
X500Principal crlIssuer = crl.getIssuerX500Principal();
X500Principal certSubject = cert.getSubjectX500Principal();
if (certSubject != null && certSubject.equals(crlIssuer)) {
try {
crl.verify(cert.getPublicKey(), provider);
return true;
} catch (Exception e) {
// ignore all exceptions.
}
}
return false;
}
/**
* An adaptable X509 certificate selector for forward certification path
* building.
*/
private static class AdaptableX509CertSelector extends X509CertSelector {
public AdaptableX509CertSelector() {
super();
}
/**
* Decides whether a <code>Certificate</code> should be selected.
*
* For the purpose of compatibility, when a certificate is of
* version 1 and version 2, or the certificate does not include
* a subject key identifier extension, the selection criterion
* of subjectKeyIdentifier will be disabled.
*
* @Override
*/
public boolean match(Certificate cert) {
if (!(cert instanceof X509Certificate)) {
return false;
}
X509Certificate xcert = (X509Certificate)cert;
if (xcert.getVersion() < 3 ||
xcert.getExtensionValue("2.5.29.14") == null) {
// disable the subjectKeyIdentifier criterion
setSubjectKeyIdentifier(null);
}
return super.match(cert);
}
}
} }

260
jdk/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java Normal file

@ -0,0 +1,260 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
* @bug 6852744
* @summary PIT b61: PKI test suite fails because self signed certificates
* are being rejected
* @run main/othervm DisableRevocation subca
* @run main/othervm DisableRevocation subci
* @run main/othervm DisableRevocation alice
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
import sun.security.util.DerInputStream;
/**
* A test case helps to ensure that a certification path building process is
* able to identify a self-issued certificate from its issuer when disable
* revocation checking.
*/
public final class DisableRevocation {
// the trust anchor
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +
"81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +
"m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +
"ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +
"DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +
"v/E=\n" +
"-----END CERTIFICATE-----";
// the sub-ca
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +
"srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +
"+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +
"E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +
"KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +
"MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +
"RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +
"iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
static String topCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +
"/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +
"hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +
"xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +
"rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +
"G0c=\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
static String subCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +
"OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +
"obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +
"GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +
"xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +
"Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +
"pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +
"Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +
"-----END CERTIFICATE-----";
// the target EE certificate
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +
"MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
"9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +
"T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +
"1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +
"cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +
"uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +
"9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +
"yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +
"G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +
"-----END CERTIFICATE-----";
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
Collection entries = new HashSet();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCaCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
private static X509CertSelector generateSelector(String name)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
byte[] extVal = target.getExtensionValue("2.5.29.14");
if (extVal != null) {
DerInputStream in = new DerInputStream(extVal);
byte[] subjectKID = in.getOctetString();
selector.setSubjectKeyIdentifier(subjectKID);
} else {
// unlikely to happen.
throw new Exception("unexpected certificate: no SKID extension");
}
return selector;
}
private static boolean match(String name, Certificate cert)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
return target.equals(cert);
}
public static void main(String[] args) throws Exception {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
X509CertSelector selector = generateSelector(args[0]);
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore certs = generateCertificateStore();
PKIXBuilderParameters params =
new PKIXBuilderParameters(anchors, selector);
params.addCertStore(certs);
params.setRevocationEnabled(false);
params.setDate(new Date(109, 7, 1)); // 2009-07-01
Security.setProperty("ocsp.enable", "false");
System.setProperty("com.sun.security.enableCRLDP", "false");
PKIXCertPathBuilderResult result =
(PKIXCertPathBuilderResult)builder.build(params);
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
throw new Exception("unexpected certificate");
}
}
}

303
jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java Normal file

@ -0,0 +1,303 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
* @bug 6852744
* @summary PIT b61: PKI test suite fails because self signed certificates
* are being rejected
* @run main/othervm KeyUsageMatters subca
* @run main/othervm KeyUsageMatters subci
* @run main/othervm KeyUsageMatters alice
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
import sun.security.util.DerInputStream;
/**
* KeyUsage extension plays a important rule during looking for the issuer
* of a certificate or CRL. A certificate issuer should have the keyCertSign
* bit set, and a CRL issuer should have the cRLSign bit set.
*
* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
* as would be troublesome to find the proper CRL issuer during certificate
* path build if the delegated CRL issuer is a self-issued certificate, for
* it is hard to identify it from its issuer by the "issuer" field only.
*
* The fix of 6852744 should addresses above issue, and allow a delegated CRL
* issuer to have keyCertSign bit set.
*
* In the test case, the delegated CRL issuers have cRLSign bit set only, and
* the CAs have the keyCertSign bit set only, it is expected to work before
* and after the bug fix of 6852744.
*/
public final class KeyUsageMatters {
// the trust anchor
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" +
"Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" +
"jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" +
"QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" +
"484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" +
"iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" +
"Vjw=\n" +
"-----END CERTIFICATE-----";
// the sub-ca
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" +
"8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" +
"Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" +
"P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" +
"IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" +
"UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" +
"hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" +
"7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
static String topCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
"SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
"atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
"AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
"PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
"VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
"eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
"FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
"uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
static String subCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" +
"LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" +
"4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" +
"6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" +
"jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" +
"CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" +
"BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" +
"QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" +
"bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" +
"rg==\n" +
"-----END CERTIFICATE-----";
// the target EE certificate
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" +
"MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
"9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" +
"ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" +
"V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" +
"pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" +
"4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" +
"9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" +
"wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" +
"Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" +
"-----END CERTIFICATE-----";
// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
static String topCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
"DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
"CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
"oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
"-----END X509 CRL-----";
// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
static String subCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" +
"NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" +
"MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" +
"aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" +
"nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" +
"ARGr6Qu68MYGtLMC6ZqP3u0=\n" +
"-----END X509 CRL-----";
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
Collection entries = new HashSet();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCaCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
// generate CRL from CRL string
is = new ByteArrayInputStream(topCrlStr.getBytes());
Collection mixes = cf.generateCRLs(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlStr.getBytes());
mixes = cf.generateCRLs(is);
entries.addAll(mixes);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
private static X509CertSelector generateSelector(String name)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
byte[] extVal = target.getExtensionValue("2.5.29.14");
if (extVal != null) {
DerInputStream in = new DerInputStream(extVal);
byte[] subjectKID = in.getOctetString();
selector.setSubjectKeyIdentifier(subjectKID);
} else {
// unlikely to happen.
throw new Exception("unexpected certificate: no SKID extension");
}
return selector;
}
private static boolean match(String name, Certificate cert)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
return target.equals(cert);
}
public static void main(String[] args) throws Exception {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
X509CertSelector selector = generateSelector(args[0]);
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore certs = generateCertificateStore();
PKIXBuilderParameters params =
new PKIXBuilderParameters(anchors, selector);
params.addCertStore(certs);
params.setRevocationEnabled(true);
params.setDate(new Date(109, 5, 1)); // 2009-05-01
Security.setProperty("ocsp.enable", "false");
System.setProperty("com.sun.security.enableCRLDP", "true");
PKIXCertPathBuilderResult result =
(PKIXCertPathBuilderResult)builder.build(params);
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
throw new Exception("unexpected certificate");
}
}
}

382
jdk/test/java/security/cert/CertPathBuilder/selfIssued/README Normal file

@ -0,0 +1,382 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
Certificates and CRLs
The certificates and CRLs used by KeyUsageMatters.java are copied from
test/java/security/cert/CertPathValidator/indirectCRL.
Here lists the local generated certificates and CRLs used in the test cases.
The generate.sh depends on openssl, and it should be run under ksh. The
script will create many directories and files, please run it in a
directory outside of JDK workspace.
1. root certifiate and key
-----BEGIN CERTIFICATE-----
MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8
81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7
m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID
AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME
QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey
ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj
DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9
v/E=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,46F13CECA9B38323
AVNWPH7jiPyJVq9KfL3IlGVCwD41KVapg12yJR2t/WWlLaKr19/0oWNvimcrd040
txFKvcFO9TFLxmaco33+actCoL0K/XbrCBICThZLybzcFTuYFMum8eqL61avQgBe
Kt4CCjcupWLzKWkKTMV/bP6nPnPUSB9U8QeGwutjJYnLDi0TuYx8YSqZo/36vM98
r3OvtcSA5XEN4guxxHusZJnhbclVb/Z1WtLVb4v2d5yBtPM2p3R0hK17L4Dnusjl
n56z6Z0AIYmfAggM/Fpge2uT3D/5n//l1lZRNoSvsX5UZipKswZKLpvx7IJ+AqgA
UO9lcmNLGnIXME3IS3smd83wPi7nxH3NCYWHbGAKLm6mkFMs5LOhofUMOBS3Rxmm
2RjCGtuzDxBPKveo9/Y80B//6sEce2gdi7fCKgWwtR4VFuJd0hWODD6CarK3edHH
rUG62Kt2aqiI/y/NLEbfHCHbyM37c9/OzS5Zy695dDl22r5EirVFsVgejQR1JGtP
ANdc6kkkJW+s6GiqimShssMTp1x0L8twT/+wEa38LafiaPKk4OweleBuyz7k2FxA
Rr2u9IOvGU3eKAeH8HSFWvaNE9S2lYFPiWWZ6O/LzVvnb847+gungQ7SPRzOkt4k
L4PtHIoKmLWFr5tzML1Q8wiaKcTWMb5LZbRbo+2XYGoIpilxkBBuhX7cMJFwOHEf
YJJRixBI97doPsnIQ3GkA8xY+INzQ4LWNQbnEtS7L7t26NA9tDlg4ILU/UfMoQIp
Ol4EZY1U7gD8BeMwo2vX3x/WA+a7R2N95klBFNqn9jSkm6a5yoeCZw==
-----END RSA PRIVATE KEY-----
2. root crl issuer and key
-----BEGIN CERTIFICATE-----
MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa
MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN
/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3
hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID
AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME
QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO
BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw
DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk
xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0
rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP
G0c=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3881A5676C1AD5E5
KgaAtGlIQXVnsoifcd1oTi4hS1J+InHISFcZepI1h1hrU9KVAJAlwD1GIeM2qAkG
P1ABsA0TE0yRJpd3qHih2IPtD42osfc3HmNTw17nh4Trd3ESilrs4w/rrH8e6bR5
WlqG0OKsw8x57t44m9yX94+pP3tdPaJwnFk5M7pDCO44IZskmy10S0NHBn7wMwM/
mqlZ15mK6YZTwOuLzpdSDJqYPLiv77KpfeiqSN++ISXoNhIcNYHRVyErAS/DcBlx
mbrmBaGexhuagQYqVikEDIvg8kBDWD92EjOFbz94Z6eTvliauJ/+E1/Ffefe2cN5
LaVwuUsiyW9GjarWwBJDFrXesTikklshC9V35j/ACHVdh5CuO8FGfVijIwlbZ14N
xKWJdSlZlJgEjkwUlWfi1KmrFrob+yK20fGMWr3oY1rTKWZdYkrqnnKEYcMQV/TH
XNY77D5idJ3FLtvJyziqIFuohdatQsu6xFP5UEOeUi6OhptJDjjS+zDhiBlL4cqA
klThzvuycxjZT+5xno0f8GEnZkQNcC6xxPoP6vstNMKLz1rI1CVUSXZBHc5nfMaF
m75rrLbvf6F2NLUspaNXnW8TUMHxcu8nNCnM4/u6hkqebQo/N8X1/v1HImsewwWO
P5uJwqmqfuRz0vZyMKAk3FzQIfrjJouxDfkNV2YHM9VP/grPlDgzmgiN0+6bCbn+
RW2K8kvkSFZehQ1Ygdst9KYH3NEcEYVYY9pH1N1xRNAylcIDJNwrFwf9vfwjt9/q
AVsyDxUBT/KVCcqr15LNNq9HmmcP6IZZMRjdyf2BR+/cobxxDRZq1Q==
-----END RSA PRIVATE KEY-----
3. root CRL issued by root crl issuer.
-----BEGIN X509 CRL-----
MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX
DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ
KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1
v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN
GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=
-----END X509 CRL-----
4. subca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X
srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA
+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v
E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES
KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv
MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb
RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP
iil34GktVl6gfMKGzUEW/Dh8OM4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,35408AD3018F0049
4t6WfpFNqpOr47Wc/OAt8+KZK0+WX7d3nlJn47W+QN7AkPfBlLBpcQJkImhP4/eh
aJyk8fPOdUhT/4rgc5ORuKk4d9boD36KK5Iz/+/oNBxzuld6TybVb+Hvw41cIZTW
CtkvADQpR8XWbPre+3ZH2eAKoTeWX0xR7pYg1JsFk9vxee6U82iqsAYRdUOdot8D
9zdDbbeaLWs78UbZkxFtuXREuyNVX880Q17t8qszJL2KmmtMQpUvxTlW04Ope1Ug
uIuOxeannzpKRD+37fj+oacM3GRqVFOP47/NVaziOexDBn4b5nlW6OMro6t0qiHt
1GLJcw1oLXoFe8ycexfzYWUiHymSz5Vh3wIflsQY+Ik6dopL+fpk2cVD0bncKJlf
Ie9PvL04RwannRjgtPl9X05tzcgeyznp2Ix1/rsriZQQpdPTLGA6w6kUhQeK6TwT
eX7pXn3iLTGK+VoHRfbxBQR2Fvq1nRJbvsmJFhPOcJU5CYSaDPGGdA6NorbdVgbc
14DlkhzojhEpZ7DaUeFNUXUMlQOR5UUTZB+wL3zQoY/FzHci3JD1Gj4NlbC9mMEg
ncWZcpZWOnP2kHSz2o/UOxQM80gerukI7NOr020iJ+ZZRb/gyAAzLPnD+mCZ7/e2
JJ3x6yHOtVA6WzZiQH1d9/bm79rtcWaRH83X/idG1lHuKXQJFAaw5f7Z2n2/yuF1
9pZf7el1M7UoBf74oc68klAl46f4inroy8anAtc/qjSTXUYQrNvKZsWU9AZVS7oH
iEuYMVW4KiZh3SHsIg5TZdMbdVYtZpcTsl/Kh6XuY0o0Xsi+rTK5AA==
-----END RSA PRIVATE KEY-----
5. crl issuer of subca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw
OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX
obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG
GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN
xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh
Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc
pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV
Fu987DvLmZ2GuQA9FKJsnlD9pbU=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4CD10EAA24AF8C25
6pTRc9jsn6CJ2EMYhuGX3aWrDThhacnqdtsKIqUzX8Ga7Jz9kq6HseTRlqPkzBfb
rCl+eVIkgugrPbf93375mP/ozY8LkEgD9TRAL1uXqha2N6TRLC2ozQJQSoIc441e
UZ9XkB6tPGRfPNvi1xE0WTP7bjOUkvkPU9wM9QFuBW6B7mRf3tG2nqkFiTpY6nz8
5X5+h9jafcCvMwYhfJm0JFTGWmX4WJWubs8QeYndvIriDDw2zpVNcno45sClSQCb
YVekMLgGlKPmNGub5iRfXsozykE3jbMnXRokxrvzk20jjo0XYPVGfCRe9IhJh8Ud
iCG/kPaJspbUkUlKXfvIOdp2pnoDFZI5hbfc75YrFYJ8x8dwRYBUl6yRtBkw5Yo/
VQDuNq3d7YpxiGxVTwFox6HQ5+rs6jwSGzOilgOCxPSs41fYcdAlogNqLzjvhn+e
0GU1XTVyMJbO0Ae6Sgm4PmxU7QM2bdzESuZWbYRFbH2ywwmoR8SahB3ICBhuIA/l
lsCrBbq+jL/K2IL1VXBKuaKBN1ShKUPZD/ABWNv4uENNg2AFq1XQ6kvTU8Glfhd9
tyK8YnJ0ViY4VLGhdf0s2eEPmbfxOv0HCW0sz/57eASoQSTJTdVApYopWHBOwaNq
8qQUEPDMTKaPNqCjA2m/NwGrLPHhU0d5dHmp+9gTbCTmWy4sVenhBPbOy6wvFpNA
F+35tJVaZQOOurm/KC2dLOYkKyAvqnB7D2q4zducpWkiyCweg7uYL14Mo5JQmGuq
2DwfRiMxdqqoqHFKEOxsoAMrKSwJlYojUknfz/LEaqxtMePQtNwhjw==
-----END RSA PRIVATE KEY-----
6. CLR issued by subca CRL issuer
-----BEGIN X509 CRL-----
MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw
ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO
MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO
oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe
5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr
N9AvUXxGxU4DruoJuFPcrCI=
-----END X509 CRL-----
7. dumca certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjhaFw0yOTAzMTUxMzMyMjha
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeWn+ulgls9+dK3KzzfC1b
a9RMSf+gjv/Olw5386Vw6pJOVngR11RytWJoLiKbjYPyGhP1cms2FoUKuAEO31gD
3AoUCa+nXgaMLiDtmdC5ATqVv3Oap5aNgAqq0mxMxOylKgcUhfuH2icEnfBtHzEe
ST11S69zQr5GGfa/XslbDQIDAQABo4GJMIGGMB0GA1UdDgQWBBRCmXIsp4G3iP7Z
Qv4gS19W8W/cLzBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAkRiLpJesXyNQ34ZP
Oc4d0gvCl4pyNHx5gsV0yHtxP7oYoIa7Bw4setplQ9Y2YcH5xuXK84xvAby9csWp
cod1QOkFzZfb9qj10PXfD8bMoLOyrZfr5nsNAl2scvOtnM1TFL/ll5/S2PVcPthx
Z5t128UNQYMu93OmVjZANL5L6Jw=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,11485599004D2482
R+TgUoQo1Ksqpnwh1B1x3u7jxd1qJsfG5st7WJaeJzSY3v+ZnmTS4O008eKgw6Z1
eGJevsNW8Z8ButjChzlesCm+90jpKpOqA6MlvzeknAxtGdEfe8rUEytfNOorjJTy
1Mu9T8Tlk6tmmmXNTDX1lQytYaHA4e4VVEbYGNceMNcPonT1Y0SyebJwtfd4XKkG
Ty40kMnb+qrFr1ZxVRG+LWKDR/bS0S2K2zY6Ha45d8yoYZlgLZ7yVAlrp0T0PF4B
UWvSyNK9VOBLrvqXSofK5gNGkR/C63x8FU2V25ISicBQBXLNo9OgIsbrryHF330T
2TxhnOpFU1AwgTSfp4Fy/Htkvgo7/jmFRa3r4xelTdEUKvRrwaZeMjg0fT+24529
8o8MMOF0YWNtIDNUVRFg9/DgAsD/LoXbOGc/E2ryJdq1D4N914s4m/D5Sox27iu4
3op/dt+WMoA0g/YbjhWn2cAfWcH9P8p8/n/FUO8APmGI3aHbtOhJQ8qwxcalp6kO
fICWsW4ygWtdpnyJWzAY0Udtsl8mglTppGTl59OYZmlDQTLhJ1hWiXLeNKj0pGPz
bAJ5jGQN8zXAk83j019rI5WveAdWp+w1XRGvmPxLL3heojHrkutuYLQ0LOcFwNvg
OqmPvZneRBoy6Yshp0XyYy+qioxDm+Vd/NV1/aCWgQXJA3vFqUg3AURLFHHTh+7h
fa3DDCLtdg/wJkRtOWjFhq0hgx5sb9zVv8HCuMERbZJbWwDOfSrHJwXj4KaTHVqY
OWfBE9vzeAxRpdpe69SZWYg3tyu7uSf6a5Rp55iMI3kjuQMCanvsNA==
-----END RSA PRIVATE KEY-----
8. crl issuer for dumca, the certificate and key
-----BEGIN CERTIFICATE-----
MIICUDCCAbmgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjlaFw0yOTAzMTUxMzMyMjla
MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz
cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF7NjUUWji4pPmFg3qx4HB
kjtInwe7i2lPjRUN0ZwTcWob2RaD1+fhc7seeNmnypjERTa9TXF5cs2PgSHWNISC
QbQpbobOUcSsV/6Lr0kvrHJuVowcX13VsApGSJavVs2oJqUiFGNpnch8yR/pMHJf
hsd/Go+nUXMOl2xN31DMFQIDAQABo4GJMIGGMB0GA1UdDgQWBBS1XVE2CYKHgO7t
1koYVTu2w7xgNTBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw
HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw
AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAHYraYtdetZFOiTUR
dhvUi556el1WT25O8pF21YAzRI7KI4yzl6deD29DtcIPiBc8H1A4U6OhwXSQsqTd
taOHHdZxnU+m078mb231OPVvo48uZwpnX35g/qItW+Nb/dIEb08537oQKoGgL0hV
sKZPWod70JBkJabDuUirorhlk4A=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1E0E5983F90A10E0
KdPTRmJjeKXFTgdVIgP0eu+m0evwVD2QFMkT3pPI9HELRxtkgIQzjK8F0KIHK9vi
Ur0CMgJkX0zs2v7HIG7jvfQ2fREidRTk1g3xCjHXVbpwjWN2dbo+mR0J2zzxNILy
mSs13PlDPdV81Vkn1WkMY0lhdrEpR6senQ4KIiMJTMsWZabG3lyFM6d7ag7CDVC+
jnsUFg2XW5dYP/kb09p14+CdiQwruNVeVEWhWPG1pAjl7hXCEM5ssz9fNk6Gyh2X
OXB2mMysqTkt+qB+OIqLKj3NTUs2ovVQZnaCaynsnMYTcIEFmv3lC0gJHYAZtBXf
IkySb+VaB7wmk1CI1+texDU8+B2sq7wmqX0SLY7dMwkbxP1kydn9U5i4Gqmdxpw5
4+jn7dB6oKfVFlXIZTZzhmN44cIdai48qVmse1BRDxUdfmlgd9C2W1mw4N60BXbt
DeNr8ua5UtcUOXBGJk6VEJapDU/dnnANhVR4R48Y9t+g1qlhwHB4zbSrAIJ5Rsbg
6pvdt7BQmFXtm4flZbf21Lr8awWkNFdc/k/3uXA6xemgsFNxPZXlpXO26KpIP+nz
lt9Q82WxIkzE+BvO+qd5wMqQ/GC/ztO8GJeGdRIo6un7KkNKs2AZDoCELo2lO53B
EBWHeABtJpB1Fw3lW3iJn0A6YbYzK1omztoNMkesBIi0QI5L/e0tq4Mp+LUjLm+Y
ywdrofTiYTu8R7mgS1b5q3eFtwUR9MZuKJGvhsBcSfS41vH2hDezYHg8vW55UIE3
h7EhOUnTkHY43OKZnmXHwh3pTEmHv1TfMpeaktiU/w0=
-----END RSA PRIVATE KEY-----
9. end entity certificate issued by subca, Alice
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/
T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS
1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7
cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty
uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG
9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk
yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd
G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9E29E1901B338431
796Bj4/MwwHdy6+yZQcq3pS12EZPlEm7qsCCTl787y+DYEnnj+9W4WX4+1zWsUGV
1+39oe/KOUfi5O9ytMuKiroIrklmkskWHDoW6sr4VcDprnLYL+75AhTfgpOtY+gK
q+++N7P2o9V6YF7PiGxaBqGy/3bt0nTu0sjctfzbo4g0PniiId9sus2Y+iRHKebJ
r9V0b0jB8USuIsZ+4IQJFZ+/zeKuqqqPM/4v5VKNUahER8oykhRd4L9UactnVH5t
dsfowtHmOmKE6ObJX3m+HgJMvauMMf7zJVdqJquU2vy0bUk9ufCrA7t5ws7JDRzd
SG5gt7EVQzd5x/yXsQdKbDew5mXsYPB8vz4moTgj4YJU+m6k0t1PH00pz7LUrDHl
E8ZAmXIKLEBIih1AWkdASR/YZsfB3URIC8mLyDSZJN5iEVJxl/JWm6pbJlP3Xn3J
fraVEXP6uerf29CNhizq520AfGdsSqga6atdx6PXBVm67V0TZ+zmBMUQJrWmJUUC
NFGAac+M58lYX9uwsrO9x/x6GSZvhQQu1kfD1m8DHN3IV5m3uHxsEvhmuHaqFEMJ
uH336HbqWYENXwZfDHZvOU1o2FejsLZ7QmFjB72iAxhVNQt53pCXed2gF/bERGSn
qi0PsYtjyzfEUefqlVRSWVulbQfGwkvl8dX9s6BxmOG1q0BzlDu+cQLYXPS+XOww
H8GgkGp6XTd04qT/qCm8gcuxAvdkYkj2zgAIKaqeJ53S3Ua9lrIKnA3L3btiEG5F
JTYutSdRqB4liukkB1TciiDVSmOisszjrMHhRRYPfgeLfnRFdX9U9g==
-----END RSA PRIVATE KEY-----
10. end entity certificate issued by subca, Bob
-----BEGIN CERTIFICATE-----
MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
MzVaFw0yOTAzMTUxMzMyMzVaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALLrxd3DpXuH7yiAoyi/Rc1F7WsyyeNE1Ra2ymHpcee/
3sbldekcgPl6lGQF/JJ5ARBbfeDtaf6ZtAK3j6aXqxVFxDKKu86r96v74gWJB7Vv
CHcUPvmE/EGESq3VNFI998DbmvqICLC97nFLUIrKWDH1rRFZjjkmouln40UxQXvV
AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUTXz1J2viNSKvRHIRVhD6
cJE4lgYwHwYDVR0jBBgwFoAUYnQvA7d3Qc2BEiqUdrUeetLGdPswDQYJKoZIhvcN
AQEEBQADgYEApsKyLf4FbXb26KsQrxgFn/w0d/7ck4cE8a6oXQqi5OLheNSWfD3S
fgD1dR28mGmhBiyOkdLmrhA1+6BuEr4FsuyLgrFnEqKL0ZhVhiqvwKLGqvasWxfU
Edaw4WXvRcfRWXfgjtwB6PSj/3nqGKSGRPif/OFIjO6UqHwEM7JEWO4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4A820975D251613F
GseD8MIztC0oYMxwpxeBO4/YPs9ZFFjgncXXcy+1oYZdlEsrS1xw87unjeHigL8m
QPIn8Guv3DiOsBdvweuMAgPPaA1zlophPClbGZMk7BB3T2acEfjBQH1DZz7kd7Bf
OmI2DrqcEg1yDi7l7YutBuTQPiy3nj3d7pbScuFd5YVMu6yH0YpS7JsPvviabFk2
eYVlkaiejtQwV+4rUb7sH/0iyqX2uqvnpnGAwVzGp+tfSOl71SByz240nOODBRgY
3Uvxkrw6XhCBAayJE0t7rkPMEe1KgZaGO2IU2jsJJbyHVjvNPSugdbsT28prZHN1
5M1J1NSOssq/kAq6S3f9sC5j7OzP7oUlx8uMUUSaz09/Ttq22tUoqmTue2IqqxAt
lDaeR8duHP5VV1wWnDsW/XaVYlBFQ4eFPJcXqmWsNAkDQVJp327GrcT6ngevP8fD
BcIxyX6J0rETPruAE+1+PAGjqy+C+oB0ssyZvKcjzdajHcNxSlRpCuOO2ekDvNPO
h+mVukNpHCEBsh3jYmk3z9i7VPLCM0BI+vheJ1TbM+homWP6bXyTQxtLfaKzXZJH
jRJ+zGTMBNJoPVKkou03uXFpT6hdWr9nYwbMT6G9hmC0If3wEl8nRjDKbmyMS29B
p3im1kPxVJA0DjhghC+7tACy42ffw6KZPALwaVDKHGeitrQBc3xTGfrjOGQOTTcm
hZ8icYCY0cjl5KQ2kq2GpXa2zQMujNV/Oj7D4sE0xcASMRXl3tst77R/j0eowx1M
niCTRphxx4iTPkieIbjWWeFTpVmSzUBrm4hSw3tiRapVWf6Zo3aAIg==
-----END RSA PRIVATE KEY-----
11. end entity certificate issued by subca, Susan
-----BEGIN CERTIFICATE-----
MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy
MzZaFw0yOTAzMTUxMzMyMzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt
cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAr2u6mdjqAVtfcgPze+9OUFZu3pi+HqoNBoygm2gq
qRAe+FVNSUeNAMQesQBo/eB0F1Iv/BjnYJ/7pYMLaf90MLoYr0Q5vNKYlBdcyUee
Jn1WmfN2Qk+UoUaiM4HAKHNJnZk13vWpZW54mcW1q09oj0oMjAZtaZsqpY6CtW6/
+J8CAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBQVK9naug5W9pQlBqD2
fVaCXooa1TAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG
9w0BAQQFAAOBgQDKYoM8EbP78ucjtsdvw4ywyo21hhSeP9PmRnNz/U3F9sQATmn+
QBl6sBsrmbML2yrhkM1ctZTVUVp0S72fAbLgVjNk86p/CF+a2tmi0+lJh1aR7zQi
opt+68Nec2/52kgWi64ruF7YITmGHBxS/RDooFbscZbdrPgcow/Jw+5HnQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9025CDB2AB43B0DE
q4hvYnqkhDSDCsbXfxtMjPvzT38ql5wscOsGwDM/xMANSyPk9h/aqAxvB8G+8v6E
63x9Q5jRi2YY6z2sOpvu0utu7Xn6KA/H1YrpYFURTEjBbK2Qd41vPQ/NYcIO3nQd
PR2Qm3kpNumBSZomyNfJk9oegGxfw+P0af2GIb6YqmTDot+LLCLwpqxrGyQQ1LYp
zc4A9D/b19Y0eD+TU9S2KEYszvfUo7RBxRFSZ6QN1rT2SEa7IJN9wb6TvgeB2lRB
Ds90tmLtkbuwLTZre+aqbM8mU40+RI9GHh+mPw0Qz55Kw2CUe+PnGsLQnOTm7p/I
mLiPTNMJKvwaR18Z88IE9UwL0zE/ND7vZfrhqTn9bHRnzHU4NtBCBsS8zloI+rXZ
EIWKMDyzMH3wpbNYq/AemSvvUz1wGOxit5TjG2QwwCNt8hPLl0Es6Q5aWdAPPrLM
EfX/6gL7bLTHNyLPz/U32o0H4hz5J7FQ7SuYUPLI3ybiPC2qL11jbtrZMesAYEAX
mvRnqO+6dPEpwGmKz8kUj2mC8X8FPKCCiy4kbc8NjLTMao+/vOgD+wBuIePaC3yE
vpuZrsUSFZWRJ824sDMmmZFoi2DKsp1zqCV1kXozaPGigaOxtkdp890nBcGkPijQ
8F+jCGwSFda6UfuJHCQ/eJB+8LQUWa8u1TeJ9zo98oD2OBfQ5maZU0Vfv1EXvwbp
pz2R6HXFaPrQDeGO0xVzD453AbY/fZCGnhIwrEYvPAbwpIKde397MP66gYFMNFhA
IaMimFnBv7IHL08Ka0KtqbVhLpEKWFpZ6LsOnyispeB4KF0md+lpGg==
-----END RSA PRIVATE KEY-----

309
jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java Normal file

@ -0,0 +1,309 @@
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/**
* @test
* @bug 6852744
* @summary PIT b61: PKI test suite fails because self signed certificates
* are being rejected
* @run main/othervm StatusLoopDependency subca
* @run main/othervm StatusLoopDependency subci
* @run main/othervm StatusLoopDependency alice
* @author Xuelei Fan
*/
import java.io.*;
import java.net.SocketException;
import java.util.*;
import java.security.Security;
import java.security.cert.*;
import java.security.cert.CertPathValidatorException.BasicReason;
import sun.security.util.DerInputStream;
/**
* KeyUsage extension plays a important rule during looking for the issuer
* of a certificate or CRL. A certificate issuer should have the keyCertSign
* bit set, and a CRL issuer should have the cRLSign bit set.
*
* Sometime, a delegated CRL issuer would also have the keyCertSign bit set,
* as would be troublesome to find the proper CRL issuer during certificate
* path build if the delegated CRL issuer is a self-issued certificate, for
* it is hard to identify it from its issuer by the "issuer" field only.
*
* In the test case, the delegated CRL issuers have keyCertSign bit set, and
* the CAs have the cRLSign bit set also. If we cannot identify the delegated
* CRL issuer from its issuer, there is a potential loop to find the correct
* CRL.
*
* And when revocation enabled, needs to check the status of the delegated
* CRL issuers. If the delegated CRL issuer issues itself status, there is
* a potential loop to verify the CRL and check the status of delegated CRL
* issuer.
*
* The fix of 6852744 should addresses above issues.
*/
public final class StatusLoopDependency {
// the trust anchor
static String selfSignedCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" +
"81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" +
"m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" +
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" +
"ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" +
"DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" +
"v/E=\n" +
"-----END CERTIFICATE-----";
// the sub-ca
static String subCaCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" +
"srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" +
"+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" +
"E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" +
"KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" +
"MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" +
"RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" +
"iil34GktVl6gfMKGzUEW/Dh8OM4=\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of trust anchor
static String topCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" +
"MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
"AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" +
"/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" +
"hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" +
"AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" +
"QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" +
"BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" +
"DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" +
"xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" +
"rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" +
"G0c=\n" +
"-----END CERTIFICATE-----";
// a delegated CRL issuer, it's a self-issued certificate of sub-ca
static String subCrlIssuerCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" +
"MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" +
"cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" +
"OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" +
"obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" +
"GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" +
"xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" +
"HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" +
"AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" +
"Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" +
"pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" +
"Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" +
"-----END CERTIFICATE-----";
// the target EE certificate
static String targetCertStr =
"-----BEGIN CERTIFICATE-----\n" +
"MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" +
"MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" +
"MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" +
"cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" +
"9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" +
"T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" +
"1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" +
"cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" +
"uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" +
"9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" +
"yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" +
"G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" +
"-----END CERTIFICATE-----";
// CRL issued by the delegated CRL issuer, topCrlIssuerCertStr
static String topCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX\n" +
"DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ\n" +
"KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1\n" +
"v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN\n" +
"GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=\n" +
"-----END X509 CRL-----";
// CRL issued by the delegated CRL issuer, subCrlIssuerCertStr
static String subCrlStr =
"-----BEGIN X509 CRL-----\n" +
"MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
"ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw\n" +
"ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO\n" +
"MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO\n" +
"oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe\n" +
"5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr\n" +
"N9AvUXxGxU4DruoJuFPcrCI=\n" +
"-----END X509 CRL-----";
private static Set<TrustAnchor> generateTrustAnchors()
throws CertificateException {
// generate certificate from cert string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is =
new ByteArrayInputStream(selfSignedCertStr.getBytes());
Certificate selfSignedCert = cf.generateCertificate(is);
// generate a trust anchor
TrustAnchor anchor =
new TrustAnchor((X509Certificate)selfSignedCert, null);
return Collections.singleton(anchor);
}
private static CertStore generateCertificateStore() throws Exception {
Collection entries = new HashSet();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is;
is = new ByteArrayInputStream(targetCertStr.getBytes());
Certificate cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCaCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(selfSignedCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
cert = cf.generateCertificate(is);
entries.add(cert);
// generate CRL from CRL string
is = new ByteArrayInputStream(topCrlStr.getBytes());
Collection mixes = cf.generateCRLs(is);
entries.addAll(mixes);
is = new ByteArrayInputStream(subCrlStr.getBytes());
mixes = cf.generateCRLs(is);
entries.addAll(mixes);
return CertStore.getInstance("Collection",
new CollectionCertStoreParameters(entries));
}
private static X509CertSelector generateSelector(String name)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
byte[] extVal = target.getExtensionValue("2.5.29.14");
if (extVal != null) {
DerInputStream in = new DerInputStream(extVal);
byte[] subjectKID = in.getOctetString();
selector.setSubjectKeyIdentifier(subjectKID);
} else {
// unlikely to happen.
throw new Exception("unexpected certificate: no SKID extension");
}
return selector;
}
private static boolean match(String name, Certificate cert)
throws Exception {
X509CertSelector selector = new X509CertSelector();
// generate certificate from certificate string
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream is = null;
if (name.equals("subca")) {
is = new ByteArrayInputStream(subCaCertStr.getBytes());
} else if (name.equals("subci")) {
is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes());
} else {
is = new ByteArrayInputStream(targetCertStr.getBytes());
}
X509Certificate target = (X509Certificate)cf.generateCertificate(is);
return target.equals(cert);
}
public static void main(String[] args) throws Exception {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
X509CertSelector selector = generateSelector(args[0]);
Set<TrustAnchor> anchors = generateTrustAnchors();
CertStore certs = generateCertificateStore();
PKIXBuilderParameters params =
new PKIXBuilderParameters(anchors, selector);
params.addCertStore(certs);
params.setRevocationEnabled(true);
params.setDate(new Date(109, 7, 1)); // 2009-07-01
Security.setProperty("ocsp.enable", "false");
System.setProperty("com.sun.security.enableCRLDP", "true");
PKIXCertPathBuilderResult result =
(PKIXCertPathBuilderResult)builder.build(params);
if (!match(args[0], result.getCertPath().getCertificates().get(0))) {
throw new Exception("unexpected certificate");
}
}
}

221
jdk/test/java/security/cert/CertPathBuilder/selfIssued/generate.sh Normal file

@ -0,0 +1,221 @@
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#!/bin/ksh
#
# needs ksh to run the script.
# generate a self-signed root certificate
if [ ! -f root/root_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \
-out root/root_cert.pem -subj "/C=US/O=Example" \
-config openssl.cnf -reqexts cert_issuer -days 7650 \
-passin pass:passphrase -passout pass:passphrase
fi
# generate a sele-issued root crl issuer certificate
if [ ! -f root/top_crlissuer_cert.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \
-out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate subca cert issuer and crl iuuser certificates
if [ ! -f subca/subca_cert.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \
-out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \
-CAserial root/root_cert.srl -days 7200 -passin pass:passphrase
openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \
-out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \
-extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate dumca cert issuer and crl iuuser certificates
if [ ! -f dumca/dumca_cert.pem ]; then
if [ ! -d sumca ]; then
mkdir dumca
fi
openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \
-out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \
-extensions cert_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \
-out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \
-days 7650 -passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in dumca/dumca_crlissuer_req.pem \
-extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \
-CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \
-CAcreateserial -CAserial root/root_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate certifiacte for Alice
if [ ! -f subca/alice/alice_cert.pem ]; then
if [ ! -d subca/alice ]; then
mkdir -p subca/alice
fi
openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \
-out subca/alice/alice_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/alice/alice_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/alice/alice_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Bob
if [ ! -f subca/bob/bob_cert.pem ]; then
if [ ! -d subca/bob ]; then
mkdir -p subca/bob
fi
openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \
-out subca/bob/bob_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/bob/bob_req.pem \
-extfile openssl.cnf -extensions ee_of_subca \
-CA subca/subca_cert.pem -CAkey subca/subca_key.pem \
-out subca/bob/bob_cert.pem -CAcreateserial \
-CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase
fi
# generate certifiacte for Susan
if [ ! -f subca/susan/susan_cert.pem ]; then
if [ ! -d subca/susan ]; then
mkdir -p subca/susan
fi
openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \
-out subca/susan/susan_req.pem \
-subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \
-passin pass:passphrase -passout pass:passphrase
openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \
-extensions ee_of_subca -CA subca/subca_cert.pem \
-CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \
-CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \
-passin pass:passphrase
fi
# generate the top CRL
if [ ! -f root/top_crl.pem ]; then
if [ ! -d root ]; then
mkdir root
fi
if [ ! -f root/index.txt ]; then
touch root/index.txt
echo 00 > root/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
fi
# revoke dumca
openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \
-name ca_top -crl_reason superseded \
-keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \
-passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \
-crl_reason superseded -keyfile root/top_crlissuer_key.pem \
-cert root/top_crlissuer_cert.pem -out root/top_crl.pem \
-passin pass:passphrase
# revoke for subca
if [ ! -f subca/subca_crl.pem ]; then
if [ ! -d subca ]; then
mkdir subca
fi
if [ ! -f subca/index.txt ]; then
touch subca/index.txt
echo 00 > subca/crlnumber
fi
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase
fi
# revoke susan
openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \
-name ca_subca -crl_reason superseded \
-keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -passin pass:passphrase
openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \
-crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \
-cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \
-passin pass:passphrase

205
jdk/test/java/security/cert/CertPathBuilder/selfIssued/openssl.cnf Normal file

@ -0,0 +1,205 @@
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation. Sun designates this
# particular file as subject to the "Classpath" exception as provided
# by Sun in the LICENSE file that accompanied this code.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
#
# OpenSSL configuration file.
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./top
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_top ]
dir = ./root
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = v3_ca
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ ca_subca ]
dir = ./subca
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 7650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = NO
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = A-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign, cRLSign
[ cert_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign, cRLSign
[ crl_issuer ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical,CA:true
keyUsage = keyCertSign, cRLSign
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
[ ee_of_subca ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer