stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8296742: Illegal X509 Extension should not be created

Browse Source 
Reviewed-by: mullan
This commit is contained in:
Weijun Wang 2022-11-22 22:21:50 +00:00
parent a6c418eaf8
commit e174558cad
28 changed files with 303 additions and 92 deletions

9
src/java.base/share/classes/sun/security/tools/keytool/Main.java

@ -1582,7 +1582,11 @@ public final class Main {
int d = id.indexOf(':');
if (d >= 0) {
CRLExtensions ext = new CRLExtensions();
ext.setExtension("Reason", new CRLReasonCodeExtension(Integer.parseInt(id.substring(d+1))));
int code = Integer.parseInt(id.substring(d+1));
if (code <= 0) {
throw new Exception("Reason code must be positive");
}
ext.setExtension("Reason", new CRLReasonCodeExtension(code));
badCerts[i] = new X509CRLEntryImpl(new BigInteger(id.substring(0, d)),
firstDate, ext);
} else {
@ -4632,6 +4636,9 @@ public final class Main {
continue;
}
int exttype = oneOf(name, extSupported);
if (exttype != -1 && value != null && value.isEmpty()) {
throw new Exception(rb.getString("Illegal.value.") + extstr);
}
switch (exttype) {
case 0: // BC
int pathLen = -1;

6
src/java.base/share/classes/sun/security/x509/AuthorityInfoAccessExtension.java

@ -74,11 +74,15 @@ public class AuthorityInfoAccessExtension extends Extension {
* Create an AuthorityInfoAccessExtension from a List of
* AccessDescription; the criticality is set to false.
*
* @param accessDescriptions the List of AccessDescription
* @param accessDescriptions the List of AccessDescription,
* cannot be null or empty.
* @throws IOException on error
*/
public AuthorityInfoAccessExtension(
List<AccessDescription> accessDescriptions) throws IOException {
if (accessDescriptions == null || accessDescriptions.isEmpty()) {
throw new IllegalArgumentException("accessDescriptions is null or empty");
}
this.extensionId = PKIXExtensions.AuthInfoAccess_Id;
this.critical = false;
this.accessDescriptions = accessDescriptions;

10
src/java.base/share/classes/sun/security/x509/AuthorityKeyIdentifierExtension.java

@ -99,8 +99,8 @@ public class AuthorityKeyIdentifierExtension extends Extension {
}
/**
* The default constructor for this extension. Null parameters make
* the element optional (not present).
* The default constructor for this extension. At least one parameter
* must be non null. Null parameters make the element optional (not present).
*
* @param kid the KeyIdentifier associated with this extension.
* @param names the GeneralNames associated with this extension
@ -110,7 +110,11 @@ public class AuthorityKeyIdentifierExtension extends Extension {
*/
public AuthorityKeyIdentifierExtension(KeyIdentifier kid, GeneralNames names,
SerialNumber sn)
throws IOException {
throws IOException {
if (kid == null && names == null && sn == null) {
throw new IllegalArgumentException(
"AuthorityKeyIdentifierExtension cannot be empty");
}
this.id = kid;
this.names = names;
this.serialNum = sn;

10
src/java.base/share/classes/sun/security/x509/CRLDistributionPointsExtension.java

@ -106,7 +106,8 @@ public class CRLDistributionPointsExtension extends Extension {
* DistributionPoint.
*
* @param isCritical the criticality setting.
* @param distributionPoints the list of distribution points
* @param distributionPoints the list of distribution points,
* cannot be null or empty.
* @throws IOException on error
*/
public CRLDistributionPointsExtension(boolean isCritical,
@ -120,9 +121,14 @@ public class CRLDistributionPointsExtension extends Extension {
* Creates the extension (also called by the subclass).
*/
protected CRLDistributionPointsExtension(ObjectIdentifier extensionId,
boolean isCritical, List<DistributionPoint> distributionPoints,
boolean isCritical, List<DistributionPoint> distributionPoints,
String extensionName) throws IOException {
if (distributionPoints == null || distributionPoints.isEmpty()) {
throw new IllegalArgumentException(
"distribution points cannot be null or empty");
}
this.extensionId = extensionId;
this.critical = isCritical;
this.distributionPoints = distributionPoints;

5
src/java.base/share/classes/sun/security/x509/CRLNumberExtension.java

@ -78,7 +78,7 @@ public class CRLNumberExtension extends Extension {
* Create a CRLNumberExtension with the BigInteger value .
* The criticality is set to false.
*
* @param crlNum the value to be set for the extension.
* @param crlNum the value to be set for the extension, cannot be null
*/
public CRLNumberExtension(BigInteger crlNum) throws IOException {
this(PKIXExtensions.CRLNumber_Id, false, crlNum, NAME, LABEL);
@ -91,6 +91,9 @@ public class CRLNumberExtension extends Extension {
boolean isCritical, BigInteger crlNum, String extensionName,
String extensionLabel) throws IOException {
if (crlNum == null) {
throw new IllegalArgumentException("CRL number cannot be null");
}
this.extensionId = extensionId;
this.critical = isCritical;
this.crlNumber = crlNum;

7
src/java.base/share/classes/sun/security/x509/CRLReasonCodeExtension.java

@ -69,10 +69,13 @@ public class CRLReasonCodeExtension extends Extension {
* Create a CRLReasonCodeExtension with the passed in reason.
*
* @param critical true if the extension is to be treated as critical.
* @param reason the enumerated value for the reason code.
* @param reason the enumerated value for the reason code, must be positive.
*/
public CRLReasonCodeExtension(boolean critical, int reason)
throws IOException {
throws IOException {
if (reason <= 0) {
throw new IllegalArgumentException("reason code must be positive");
}
this.extensionId = PKIXExtensions.ReasonCode_Id;
this.critical = critical;
this.reasonCode = reason;

5
src/java.base/share/classes/sun/security/x509/CertificateIssuerExtension.java

@ -80,10 +80,13 @@ public class CertificateIssuerExtension extends Extension {
* Create a CertificateIssuerExtension containing the specified issuer name.
* Criticality is automatically set to true.
*
* @param issuer the certificate issuer
* @param issuer the certificate issuer, cannot be null or empty.
* @throws IOException on error
*/
public CertificateIssuerExtension(GeneralNames issuer) throws IOException {
if (issuer == null || issuer.isEmpty()) {
throw new IllegalArgumentException("issuer cannot be null or empty");
}
this.extensionId = PKIXExtensions.CertificateIssuer_Id;
this.critical = true;
this.names = issuer;

6
src/java.base/share/classes/sun/security/x509/CertificatePoliciesExtension.java

@ -106,10 +106,14 @@ public class CertificatePoliciesExtension extends Extension {
* a List of PolicyInformation with specified criticality.
*
* @param critical true if the extension is to be treated as critical.
* @param certPolicies the List of PolicyInformation.
* @param certPolicies the List of PolicyInformation, cannot be null or empty.
*/
public CertificatePoliciesExtension(Boolean critical,
List<PolicyInformation> certPolicies) throws IOException {
if (certPolicies == null || certPolicies.isEmpty()) {
throw new IllegalArgumentException(
"certificate policies cannot be null or empty");
}
this.certPolicies = certPolicies;
this.extensionId = PKIXExtensions.CertificatePolicies_Id;
this.critical = critical.booleanValue();

4
src/java.base/share/classes/sun/security/x509/CertificatePolicyId.java

@ -26,6 +26,8 @@
package sun.security.x509;
import java.io.IOException;
import java.util.Objects;
import sun.security.util.*;
@ -44,7 +46,7 @@ public class CertificatePolicyId {
* @param id the ObjectIdentifier for the policy id.
*/
public CertificatePolicyId(ObjectIdentifier id) {
this.id = id;
this.id = Objects.requireNonNull(id);
}
/**

5
src/java.base/share/classes/sun/security/x509/CertificatePolicyMap.java

@ -26,6 +26,7 @@
package sun.security.x509;
import java.io.IOException;
import java.util.Objects;
import sun.security.util.*;
@ -47,8 +48,8 @@ public class CertificatePolicyMap {
*/
public CertificatePolicyMap(CertificatePolicyId issuer,
CertificatePolicyId subject) {
this.issuerDomain = issuer;
this.subjectDomain = subject;
this.issuerDomain = Objects.requireNonNull(issuer);
this.subjectDomain = Objects.requireNonNull(subject);
}
/**

9
src/java.base/share/classes/sun/security/x509/ExtendedKeyUsageExtension.java

@ -118,10 +118,15 @@ public class ExtendedKeyUsageExtension extends Extension {
* a Vector of KeyUsages with specified criticality.
*
* @param critical true if the extension is to be treated as critical.
* @param keyUsages the Vector of KeyUsages (ObjectIdentifiers)
* @param keyUsages the Vector of KeyUsages (ObjectIdentifiers),
* cannot be null or empty.
*/
public ExtendedKeyUsageExtension(Boolean critical, Vector<ObjectIdentifier> keyUsages)
throws IOException {
throws IOException {
if (keyUsages == null || keyUsages.isEmpty()) {
throw new IllegalArgumentException(
"key usages cannot be null or empty");
}
this.keyUsages = keyUsages;
this.extensionId = PKIXExtensions.ExtendedKeyUsage_Id;
this.critical = critical.booleanValue();

10
src/java.base/share/classes/sun/security/x509/Extension.java

@ -28,6 +28,8 @@ package sun.security.x509;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Arrays;
import java.util.Objects;
import sun.security.util.*;
/**
@ -172,10 +174,10 @@ public class Extension implements java.security.cert.Extension, DerEncoder {
@Override
public void encode(DerOutputStream out) throws IOException {
if (extensionId == null)
throw new IOException("Null OID to encode for the extension!");
if (extensionValue == null)
throw new IOException("No value to encode for the extension!");
Objects.requireNonNull(extensionId,
"No OID to encode for the extension");
Objects.requireNonNull(extensionValue,
"No value to encode for the extension");
DerOutputStream dos = new DerOutputStream();

3
src/java.base/share/classes/sun/security/x509/GeneralSubtree.java

@ -26,6 +26,7 @@
package sun.security.x509;
import java.io.*;
import java.util.Objects;
import sun.security.util.*;
@ -61,7 +62,7 @@ public class GeneralSubtree {
* @param max the maximum BaseDistance
*/
public GeneralSubtree(GeneralName name, int min, int max) {
this.name = name;
this.name = Objects.requireNonNull(name);
this.minimum = min;
this.maximum = max;
}

2
src/java.base/share/classes/sun/security/x509/InhibitAnyPolicyExtension.java

@ -83,7 +83,7 @@ public class InhibitAnyPolicyExtension extends Extension {
*/
public InhibitAnyPolicyExtension(int skipCerts) throws IOException {
if (skipCerts < -1)
throw new IOException("Invalid value for skipCerts");
throw new IllegalArgumentException("Invalid value for skipCerts");
if (skipCerts == -1)
this.skipCerts = Integer.MAX_VALUE;
else

7
src/java.base/share/classes/sun/security/x509/InvalidityDateExtension.java

@ -88,10 +88,13 @@ public class InvalidityDateExtension extends Extension {
* Create a InvalidityDateExtension with the passed in date.
*
* @param critical true if the extension is to be treated as critical.
* @param date the invalidity date
* @param date the invalidity date, cannot be null.
*/
public InvalidityDateExtension(boolean critical, Date date)
throws IOException {
throws IOException {
if (date == null) {
throw new IllegalArgumentException("date cannot be null");
}
this.extensionId = PKIXExtensions.InvalidityDate_Id;
this.critical = critical;
this.date = date;

23
src/java.base/share/classes/sun/security/x509/IssuerAlternativeNameExtension.java

@ -69,11 +69,8 @@ public class IssuerAlternativeNameExtension extends Extension {
* @exception IOException on error.
*/
public IssuerAlternativeNameExtension(GeneralNames names)
throws IOException {
this.names = names;
this.extensionId = PKIXExtensions.IssuerAlternativeName_Id;
this.critical = false;
encodeThis();
throws IOException {
this(false, names);
}
/**
@ -81,26 +78,20 @@ public class IssuerAlternativeNameExtension extends Extension {
* and GeneralNames.
*
* @param critical true if the extension is to be treated as critical.
* @param names the GeneralNames for the issuer.
* @param names the GeneralNames for the issuer, cannot be null or empty.
* @exception IOException on error.
*/
public IssuerAlternativeNameExtension(Boolean critical, GeneralNames names)
throws IOException {
throws IOException {
if (names == null || names.isEmpty()) {
throw new IllegalArgumentException("names cannot be null or empty");
}
this.names = names;
this.extensionId = PKIXExtensions.IssuerAlternativeName_Id;
this.critical = critical.booleanValue();
encodeThis();
}
/**
* Create a default IssuerAlternativeNameExtension.
*/
public IssuerAlternativeNameExtension() {
extensionId = PKIXExtensions.IssuerAlternativeName_Id;
critical = false;
names = new GeneralNames();
}
/**
* Create the extension from the passed DER encoded value.
*

11
src/java.base/share/classes/sun/security/x509/IssuingDistributionPointExtension.java

@ -110,7 +110,8 @@ public class IssuingDistributionPointExtension extends Extension {
* issuer CRL entry extension.
* @throws IllegalArgumentException if more than one of
* <code>hasOnlyUserCerts</code>, <code>hasOnlyCACerts</code>,
* <code>hasOnlyAttributeCerts</code> is set to <code>true</code>.
* <code>hasOnlyAttributeCerts</code> is set to <code>true</code>,
* or all arguments are either <code>null</code> or <code>false</code>.
* @throws IOException on encoding error.
*/
public IssuingDistributionPointExtension(
@ -119,6 +120,14 @@ public class IssuingDistributionPointExtension extends Extension {
boolean hasOnlyAttributeCerts, boolean isIndirectCRL)
throws IOException {
if (distributionPoint == null &&
revocationReasons == null &&
!hasOnlyUserCerts &&
!hasOnlyCACerts &&
!hasOnlyAttributeCerts &&
!isIndirectCRL) {
throw new IllegalArgumentException("elements cannot be empty");
}
if ((hasOnlyUserCerts && (hasOnlyCACerts || hasOnlyAttributeCerts)) ||
(hasOnlyCACerts && (hasOnlyUserCerts || hasOnlyAttributeCerts)) ||
(hasOnlyAttributeCerts && (hasOnlyUserCerts || hasOnlyCACerts))) {

32
src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java

@ -127,8 +127,8 @@ public class NameConstraintsExtension extends Extension
}
/**
* The default constructor for this class. Both parameters
* are optional and can be set to null. The extension criticality
* The default constructor for this class. Both parameters are optional
* but at least one should be non null. The extension criticality
* is set to true.
*
* @param permitted the permitted GeneralSubtrees (null for optional).
@ -136,7 +136,11 @@ public class NameConstraintsExtension extends Extension
*/
public NameConstraintsExtension(GeneralSubtrees permitted,
GeneralSubtrees excluded)
throws IOException {
throws IOException {
if (permitted == null && excluded == null) {
throw new IllegalArgumentException(
"permitted and excluded cannot both be null");
}
this.permitted = permitted;
this.excluded = excluded;
@ -280,6 +284,8 @@ public class NameConstraintsExtension extends Extension
return;
}
boolean updated = false;
/*
* If excludedSubtrees is present in the certificate, set the
* excluded subtrees state variable to the union of its previous
@ -288,12 +294,15 @@ public class NameConstraintsExtension extends Extension
GeneralSubtrees newExcluded = newConstraints.getExcludedSubtrees();
if (excluded == null) {
excluded = (newExcluded != null) ?
(GeneralSubtrees)newExcluded.clone() : null;
if (newExcluded != null) {
excluded = (GeneralSubtrees) newExcluded.clone();
updated = true;
}
} else {
if (newExcluded != null) {
// Merge new excluded with current excluded (union)
excluded.union(newExcluded);
updated = true;
}
}
@ -305,8 +314,10 @@ public class NameConstraintsExtension extends Extension
GeneralSubtrees newPermitted = newConstraints.getPermittedSubtrees();
if (permitted == null) {
permitted = (newPermitted != null) ?
(GeneralSubtrees)newPermitted.clone() : null;
if (newPermitted != null) {
permitted = (GeneralSubtrees) newPermitted.clone();
updated = true;
}
} else {
if (newPermitted != null) {
// Merge new permitted with current permitted (intersection)
@ -319,6 +330,7 @@ public class NameConstraintsExtension extends Extension
} else {
excluded = (GeneralSubtrees)newExcluded.clone();
}
updated = true;
}
}
}
@ -329,12 +341,14 @@ public class NameConstraintsExtension extends Extension
// less space.
if (permitted != null) {
permitted.reduce(excluded);
updated = true;
}
// The NameConstraints have been changed, so re-encode them. Methods in
// this class assume that the encodings have already been done.
encodeThis();
if (updated) {
encodeThis();
}
}
/**

8
src/java.base/share/classes/sun/security/x509/PolicyConstraintsExtension.java

@ -102,14 +102,18 @@ public class PolicyConstraintsExtension extends Extension {
/**
* Create a PolicyConstraintsExtension object with specified
* criticality and both require explicit policy and inhibit
* policy mapping.
* policy mapping. At least one should be provided (not -1).
*
* @param critical true if the extension is to be treated as critical.
* @param require require explicit policy (-1 for optional).
* @param inhibit inhibit policy mapping (-1 for optional).
*/
public PolicyConstraintsExtension(Boolean critical, int require, int inhibit)
throws IOException {
throws IOException {
if (require == -1 && inhibit == -1) {
throw new IllegalArgumentException(
"require and inhibit cannot both be -1");
}
this.require = require;
this.inhibit = inhibit;
this.extensionId = PKIXExtensions.PolicyConstraints_Id;

3
src/java.base/share/classes/sun/security/x509/PolicyInformation.java

@ -29,6 +29,7 @@ import java.io.IOException;
import java.security.cert.PolicyQualifierInfo;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Set;
import sun.security.util.DerValue;
@ -87,7 +88,7 @@ public class PolicyInformation {
}
this.policyQualifiers =
new LinkedHashSet<>(policyQualifiers);
this.policyIdentifier = policyIdentifier;
this.policyIdentifier = Objects.requireNonNull(policyIdentifier);
}
/**

14
src/java.base/share/classes/sun/security/x509/PolicyMappingsExtension.java

@ -75,25 +75,19 @@ public class PolicyMappingsExtension extends Extension {
/**
* Create a PolicyMappings with the List of CertificatePolicyMap.
*
* @param maps the List of CertificatePolicyMap.
* @param maps the List of CertificatePolicyMap, cannot be null or empty.
*/
public PolicyMappingsExtension(List<CertificatePolicyMap> maps)
throws IOException {
if (maps == null || maps.isEmpty()) {
throw new IllegalArgumentException("maps cannot be null or empty");
}
this.maps = maps;
this.extensionId = PKIXExtensions.PolicyMappings_Id;
this.critical = true;
encodeThis();
}
/**
* Create a default PolicyMappingsExtension.
*/
public PolicyMappingsExtension() {
extensionId = PKIXExtensions.PolicyMappings_Id;
critical = true;
maps = Collections.emptyList();
}
/**
* Create the extension from the passed DER encoded value.
*

11
src/java.base/share/classes/sun/security/x509/PrivateKeyUsageExtension.java

@ -93,15 +93,20 @@ public class PrivateKeyUsageExtension extends Extension {
}
/**
* The default constructor for PrivateKeyUsageExtension.
* The default constructor for PrivateKeyUsageExtension. At least one
* of the arguments must be non null.
*
* @param notBefore the date/time before which the private key
* should not be used.
* should not be used
* @param notAfter the date/time after which the private key
* should not be used.
*/
public PrivateKeyUsageExtension(Date notBefore, Date notAfter)
throws IOException {
throws IOException {
if (notBefore == null && notAfter == null) {
throw new IllegalArgumentException(
"notBefore and notAfter cannot both be null");
}
this.notBefore = notBefore;
this.notAfter = notAfter;

17
src/java.base/share/classes/sun/security/x509/SubjectAlternativeNameExtension.java

@ -84,27 +84,20 @@ public class SubjectAlternativeNameExtension extends Extension {
* criticality and GeneralNames.
*
* @param critical true if the extension is to be treated as critical.
* @param names the GeneralNames for the subject.
* @param names the GeneralNames for the subject, cannot be null or empty.
* @exception IOException on error.
*/
public SubjectAlternativeNameExtension(Boolean critical, GeneralNames names)
throws IOException {
throws IOException {
if (names == null || names.isEmpty()) {
throw new IllegalArgumentException("names cannot be null or empty");
}
this.names = names;
this.extensionId = PKIXExtensions.SubjectAlternativeName_Id;
this.critical = critical.booleanValue();
encodeThis();
}
/**
* Create a default SubjectAlternativeNameExtension. The extension
* is marked non-critical.
*/
public SubjectAlternativeNameExtension() {
extensionId = PKIXExtensions.SubjectAlternativeName_Id;
critical = false;
names = new GeneralNames();
}
/**
* Create the extension from the passed DER encoded value.
*

7
src/java.base/share/classes/sun/security/x509/SubjectInfoAccessExtension.java

@ -78,11 +78,16 @@ public class SubjectInfoAccessExtension extends Extension {
* Create an SubjectInfoAccessExtension from a List of
* AccessDescription; the criticality is set to false.
*
* @param accessDescriptions the List of AccessDescription
* @param accessDescriptions the List of AccessDescription,
* cannot be null or empty.
* @throws IOException on error
*/
public SubjectInfoAccessExtension(
List<AccessDescription> accessDescriptions) throws IOException {
if (accessDescriptions == null || accessDescriptions.isEmpty()) {
throw new IllegalArgumentException(
"accessDescriptions cannot be null or empty");
}
this.extensionId = PKIXExtensions.SubjectInfoAccess_Id;
this.critical = false;
this.accessDescriptions = accessDescriptions;

2
src/java.base/share/classes/sun/security/x509/SubjectKeyIdentifierExtension.java

@ -73,7 +73,7 @@ public class SubjectKeyIdentifierExtension extends Extension {
* @param octetString the octet string identifying the key identifier.
*/
public SubjectKeyIdentifierExtension(byte[] octetString)
throws IOException {
throws IOException {
id = new KeyIdentifier(octetString);
this.extensionId = PKIXExtensions.SubjectKey_Id;

14
test/jdk/sun/security/x509/Extensions/DefaultCriticality.java

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,20 +27,28 @@
certificate extensions
* @bug 8059916
* @modules java.base/sun.security.x509
* java.base/sun.security.util
*/
import sun.security.util.ObjectIdentifier;
import sun.security.x509.CertificatePolicyId;
import sun.security.x509.CertificatePolicyMap;
import sun.security.x509.PolicyConstraintsExtension;
import sun.security.x509.PolicyMappingsExtension;
import java.util.List;
public class DefaultCriticality {
public static void main(String [] args) throws Exception {
PolicyConstraintsExtension pce = new PolicyConstraintsExtension(-1,-1);
PolicyConstraintsExtension pce = new PolicyConstraintsExtension(1, 1);
if (!pce.isCritical()) {
throw new Exception("PolicyConstraintsExtension should be " +
"critical by default");
}
PolicyMappingsExtension pme = new PolicyMappingsExtension();
CertificatePolicyId id = new CertificatePolicyId(ObjectIdentifier.of("1.2.3.4"));
PolicyMappingsExtension pme = new PolicyMappingsExtension(List.of(
new CertificatePolicyMap(id, id)));
if (!pme.isCritical()) {
throw new Exception("PolicyMappingsExtension should be " +
"critical by default");

141
test/jdk/sun/security/x509/Extensions/IllegalExtensions.java Normal file

@ -0,0 +1,141 @@
/*
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8296742
* @summary Illegal X509 Extension should not be created
* @modules java.base/sun.security.util
* java.base/sun.security.x509
* @library /test/lib
*/
import jdk.test.lib.Utils;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.*;
import java.math.BigInteger;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Vector;
public class IllegalExtensions {
public static void main(String [] args) throws Exception {
var oid = ObjectIdentifier.of("1.2.3.4");
var emptyNames = new GeneralNames();
var name = new GeneralName(new X500Name("CN=one"));
var names = new GeneralNames();
names.add(name);
var ad = new AccessDescription(AccessDescription.Ad_CAISSUERS_Id, name);
new AuthorityInfoAccessExtension(List.of(ad));
Utils.runAndCheckException(() -> new AuthorityInfoAccessExtension(List.of()), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new AuthorityInfoAccessExtension(null), IllegalArgumentException.class);
var kid = new KeyIdentifier(new byte[32]);
var sn = new SerialNumber(0);
new AuthorityKeyIdentifierExtension(kid, null, null);
new AuthorityKeyIdentifierExtension(null, names, null);
new AuthorityKeyIdentifierExtension(null, null, sn);
Utils.runAndCheckException(() -> new AuthorityKeyIdentifierExtension(null, null, null), IllegalArgumentException.class);
new CertificateIssuerExtension(names);
Utils.runAndCheckException(() -> new CertificateIssuerExtension(null), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new CertificateIssuerExtension(emptyNames), IllegalArgumentException.class);
var pi = new PolicyInformation(new CertificatePolicyId(oid), Collections.emptySet());
new CertificatePoliciesExtension(List.of(pi));
Utils.runAndCheckException(() -> new CertificatePoliciesExtension(null), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new CertificatePoliciesExtension(List.of()), IllegalArgumentException.class);
var dp = new DistributionPoint(names, null, null);
new CRLDistributionPointsExtension(List.of(dp));
Utils.runAndCheckException(() -> new CRLDistributionPointsExtension(List.of()), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new CRLDistributionPointsExtension(null), IllegalArgumentException.class);
new CRLNumberExtension(0);
new CRLNumberExtension(BigInteger.ONE);
Utils.runAndCheckException(() -> new CRLNumberExtension(null), IllegalArgumentException.class);
new CRLReasonCodeExtension(1);
Utils.runAndCheckException(() -> new CRLReasonCodeExtension(0), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new CRLReasonCodeExtension(-1), IllegalArgumentException.class);
new ExtendedKeyUsageExtension(new Vector<>(List.of(oid)));
Utils.runAndCheckException(() -> new ExtendedKeyUsageExtension(null), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new ExtendedKeyUsageExtension(new Vector<>()), IllegalArgumentException.class);
new InhibitAnyPolicyExtension(0);
new InhibitAnyPolicyExtension(-1);
Utils.runAndCheckException(() -> new InhibitAnyPolicyExtension(-2), IllegalArgumentException.class);
new InvalidityDateExtension(new Date());
Utils.runAndCheckException(() -> new InvalidityDateExtension(null), IllegalArgumentException.class);
new IssuerAlternativeNameExtension(names);
Utils.runAndCheckException(() -> new IssuerAlternativeNameExtension(null), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new IssuerAlternativeNameExtension(emptyNames), IllegalArgumentException.class);
var dpn = new DistributionPointName(names);
var rf = new ReasonFlags(new boolean[1]);
new IssuingDistributionPointExtension(dpn, null, false, false, false, false);
new IssuingDistributionPointExtension(null, rf, false, false, false, false);
new IssuingDistributionPointExtension(null, null, true, false, false, false);
new IssuingDistributionPointExtension(null, null, false, true, false, false);
new IssuingDistributionPointExtension(null, null, false, false, true, false);
new IssuingDistributionPointExtension(null, null, false, false, false, true);
Utils.runAndCheckException(() -> new IssuingDistributionPointExtension(null, null, false, false, false, false), IllegalArgumentException.class);
var gss = new GeneralSubtrees();
new NameConstraintsExtension(gss, null);
new NameConstraintsExtension((GeneralSubtrees) null, gss);
Utils.runAndCheckException(() -> new NameConstraintsExtension((GeneralSubtrees) null, null), IllegalArgumentException.class);
new PolicyConstraintsExtension(0, 0);
new PolicyConstraintsExtension(-1, 0);
new PolicyConstraintsExtension(0, -1);
Utils.runAndCheckException(() -> new PolicyConstraintsExtension(-1, -1), IllegalArgumentException.class);
var cpi = new CertificatePolicyId(oid);
var cpm = new CertificatePolicyMap(cpi, cpi);
new PolicyMappingsExtension(List.of(cpm));
Utils.runAndCheckException(() -> new PolicyMappingsExtension(List.of()), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new PolicyMappingsExtension(null), IllegalArgumentException.class);
new PrivateKeyUsageExtension(new Date(), new Date());
new PrivateKeyUsageExtension(new Date(), null);
new PrivateKeyUsageExtension((Date) null, new Date());
Utils.runAndCheckException(() -> new PrivateKeyUsageExtension((Date) null, null), IllegalArgumentException.class);
new SubjectAlternativeNameExtension(names);
Utils.runAndCheckException(() -> new SubjectAlternativeNameExtension(null), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new SubjectAlternativeNameExtension(emptyNames), IllegalArgumentException.class);
new SubjectInfoAccessExtension(List.of(ad));
Utils.runAndCheckException(() -> new SubjectInfoAccessExtension(List.of()), IllegalArgumentException.class);
Utils.runAndCheckException(() -> new SubjectInfoAccessExtension(null), IllegalArgumentException.class);
}
}

14
test/jdk/sun/security/x509/X509CertImpl/V3Certificate.java

@ -155,21 +155,19 @@ public class V3Certificate {
new OIDName(ObjectIdentifier.of("1.2.3.4"));
GeneralName oid = new GeneralName(oidInf);
SubjectAlternativeNameExtension subjectName
= new SubjectAlternativeNameExtension();
IssuerAlternativeNameExtension issuerName
= new IssuerAlternativeNameExtension();
GeneralNames subjectNames = subjectName.getNames();
GeneralNames issuerNames = issuerName.getNames();
GeneralNames subjectNames = new GeneralNames();
subjectNames.add(mail);
subjectNames.add(dns);
subjectNames.add(uri);
SubjectAlternativeNameExtension subjectName
= new SubjectAlternativeNameExtension(subjectNames);
GeneralNames issuerNames = new GeneralNames();
issuerNames.add(ip);
issuerNames.add(oid);
IssuerAlternativeNameExtension issuerName
= new IssuerAlternativeNameExtension(issuerNames);
cal.set(2000, 11, 15, 12, 30, 30);
lastDate = cal.getTime();