/* * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ /* * @test * @bug 8257497 * @summary Check if issuer's SKID is used to establish the AKID for the subject cert * @library /test/lib * @modules java.base/sun.security.util */ import jdk.test.lib.SecurityTools; import jdk.test.lib.process.OutputAnalyzer; import java.io.*; import java.security.KeyStore; import java.security.cert.X509Certificate; import java.util.Arrays; import sun.security.util.DerValue; import sun.security.util.KnownOIDs; import static sun.security.util.KnownOIDs.*; public class CheckCertAKID { static OutputAnalyzer kt(String cmd, String ks) throws Exception { return SecurityTools.keytool("-storepass changeit " + cmd + " -keystore " + ks); } public static void main(String[] args) throws Exception { System.out.println("Generating a root cert with SubjectKeyIdentifier extension"); kt("-genkeypair -keyalg rsa -alias ca -dname CN=CA -ext bc:c " + "-ext 2.5.29.14=04:14:00:01:02:03:04:05:06:07:08:09:10:11:12:13:14:15:16:17:18:19", "ks"); kt("-exportcert -alias ca -rfc -file root.cert", "ks"); SecurityTools.keytool("-keystore ks -storepass changeit " + "-printcert -file root.cert") .shouldNotContain("AuthorityKeyIdentifier") .shouldContain("SubjectKeyIdentifier") .shouldContain("0000: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15") .shouldContain("0010: 16 17 18 19") .shouldHaveExitValue(0); System.out.println("Generating an end entity cert using issuer CA's SKID as its AKID"); kt("-genkeypair -keyalg rsa -alias e1 -dname CN=E1", "ks"); kt("-certreq -alias e1 -file tmp.req", "ks"); kt("-gencert -alias ca -ext san=dns:e1 -infile tmp.req -outfile tmp.cert ", "ks"); kt("-importcert -alias e1 -file tmp.cert", "ks"); byte[] expectedId = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19}; KeyStore kstore = KeyStore.getInstance(new File("ks"), "changeit".toCharArray()); X509Certificate cert = (X509Certificate)kstore.getCertificate("e1"); byte[] authorityKeyIdExt = cert.getExtensionValue( KnownOIDs.AuthorityKeyID.value()); byte[] authorityKeyId = null; if (authorityKeyIdExt == null) { System.out.println("Failed to get AKID extension from the cert"); System.exit(1); } else { try { authorityKeyId = new DerValue(authorityKeyIdExt).getOctetString(); } catch (IOException e) { System.out.println("Failed to get AKID encoded OctetString in the cert"); System.exit(1); } } authorityKeyId = Arrays.copyOfRange(authorityKeyId, 4, authorityKeyId.length); if (!Arrays.equals(authorityKeyId, expectedId)) { System.out.println("Failed due to AKID mismatch"); System.exit(1); } } }