/* * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ import java.io.*; import java.math.BigInteger; import java.security.*; import java.security.cert.*; import java.time.*; import java.util.*; import javax.net.ssl.*; import sun.security.validator.Validator; import sun.security.validator.ValidatorException; import jdk.test.lib.security.SecurityUtils; /** * @test * @bug 8207258 8216280 * @summary Check that TLS Server certificates chaining back to distrusted * Symantec roots are invalid * @library /test/lib * @modules java.base/sun.security.validator * @run main/othervm Distrust after policyOn invalid * @run main/othervm Distrust after policyOff valid * @run main/othervm Distrust before policyOn valid * @run main/othervm Distrust before policyOff valid */ public class Distrust { private static final String TEST_SRC = System.getProperty("test.src", "."); private static CertificateFactory cf; // Each of the roots have a test certificate chain stored in a file // named "-chain.pem". private static String[] rootsToTest = new String[] { "geotrustglobalca", "geotrustprimarycag2", "geotrustprimarycag3", "geotrustuniversalca", "thawteprimaryrootca", "thawteprimaryrootcag2", "thawteprimaryrootcag3", "verisignclass3g3ca", "verisignclass3g4ca", "verisignclass3g5ca", "verisignuniversalrootca" }; // Each of the subCAs with a delayed distrust date have a test certificate // chain stored in a file named "-chain.pem". private static String[] subCAsToTest = new String[] { "appleistca2g1", "appleistca8g1" }; // A date that is after the restrictions take affect private static final Date APRIL_17_2019 = Date.from(LocalDate.of(2019, 4, 17) .atStartOfDay(ZoneOffset.UTC) .toInstant()); // A date that is a second before the restrictions take affect private static final Date BEFORE_APRIL_17_2019 = Date.from(LocalDate.of(2019, 4, 17) .atStartOfDay(ZoneOffset.UTC) .minusSeconds(1) .toInstant()); // A date that is after the subCA restrictions take affect private static final Date JANUARY_1_2020 = Date.from(LocalDate.of(2020, 1, 1) .atStartOfDay(ZoneOffset.UTC) .toInstant()); // A date that is a second before the subCA restrictions take affect private static final Date BEFORE_JANUARY_1_2020 = Date.from(LocalDate.of(2020, 1, 1) .atStartOfDay(ZoneOffset.UTC) .minusSeconds(1) .toInstant()); public static void main(String[] args) throws Exception { cf = CertificateFactory.getInstance("X.509"); boolean before = args[0].equals("before"); boolean policyOn = args[1].equals("policyOn"); boolean isValid = args[2].equals("valid"); if (!policyOn) { // disable policy (default is on) Security.setProperty("jdk.security.caDistrustPolicies", ""); } Date notBefore = before ? BEFORE_APRIL_17_2019 : APRIL_17_2019; X509TrustManager pkixTM = getTMF("PKIX", null); X509TrustManager sunX509TM = getTMF("SunX509", null); for (String test : rootsToTest) { System.err.println("Testing " + test); X509Certificate[] chain = loadCertificateChain(test); testTM(sunX509TM, chain, notBefore, isValid); testTM(pkixTM, chain, notBefore, isValid); } // test chain if params are passed to TrustManager System.err.println("Testing verisignuniversalrootca with params"); testTM(getTMF("PKIX", getParams()), loadCertificateChain("verisignuniversalrootca"), notBefore, isValid); // test code-signing chain (should be valid as restrictions don't apply) System.err.println("Testing verisignclass3g5ca code-signing chain"); Validator v = Validator.getInstance(Validator.TYPE_PKIX, Validator.VAR_CODE_SIGNING, getParams()); // set validation date so this will still pass when cert expires v.setValidationDate(new Date(1544197375493l)); v.validate(loadCertificateChain("verisignclass3g5ca-codesigning")); // test chains issued through subCAs notBefore = before ? BEFORE_JANUARY_1_2020 : JANUARY_1_2020; for (String test : subCAsToTest) { System.err.println("Testing " + test); X509Certificate[] chain = loadCertificateChain(test); testTM(sunX509TM, chain, notBefore, isValid); testTM(pkixTM, chain, notBefore, isValid); } } private static X509TrustManager getTMF(String type, PKIXBuilderParameters params) throws Exception { TrustManagerFactory tmf = TrustManagerFactory.getInstance(type); if (params == null) { tmf.init((KeyStore)null); } else { tmf.init(new CertPathTrustManagerParameters(params)); } TrustManager[] tms = tmf.getTrustManagers(); for (TrustManager tm : tms) { X509TrustManager xtm = (X509TrustManager)tm; return xtm; } throw new Exception("No TrustManager for " + type); } private static PKIXBuilderParameters getParams() throws Exception { PKIXBuilderParameters pbp = new PKIXBuilderParameters(SecurityUtils.getCacertsKeyStore(), new X509CertSelector()); pbp.setRevocationEnabled(false); return pbp; } private static void testTM(X509TrustManager xtm, X509Certificate[] chain, Date notBefore, boolean valid) throws Exception { // Check if TLS Server certificate (the first element of the chain) // is issued after the specified notBefore date (should be rejected // unless distrust property is false). To do this, we need to // fake the notBefore date since none of the test certs are issued // after then. chain[0] = new DistrustedTLSServerCert(chain[0], notBefore); try { xtm.checkServerTrusted(chain, "ECDHE_RSA"); if (!valid) { throw new Exception("chain should be invalid"); } } catch (CertificateException ce) { if (valid) { throw new Exception("Unexpected exception, chain " + "should be valid", ce); } if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException)ce; if (ve.getErrorType() != ValidatorException.T_UNTRUSTED_CERT) { throw new Exception("Unexpected exception: " + ce); } } else { throw new Exception("Unexpected exception: " + ce); } } } private static X509Certificate[] loadCertificateChain(String name) throws Exception { try (InputStream in = new FileInputStream(TEST_SRC + File.separator + name + "-chain.pem")) { Collection certs = (Collection)cf.generateCertificates(in); return certs.toArray(new X509Certificate[0]); } } private static class DistrustedTLSServerCert extends X509Certificate { private final X509Certificate cert; private final Date notBefore; DistrustedTLSServerCert(X509Certificate cert, Date notBefore) { this.cert = cert; this.notBefore = notBefore; } public Set getCriticalExtensionOIDs() { return cert.getCriticalExtensionOIDs(); } public byte[] getExtensionValue(String oid) { return cert.getExtensionValue(oid); } public Set getNonCriticalExtensionOIDs() { return cert.getNonCriticalExtensionOIDs(); } public boolean hasUnsupportedCriticalExtension() { return cert.hasUnsupportedCriticalExtension(); } public void checkValidity() throws CertificateExpiredException, CertificateNotYetValidException { // always pass } public void checkValidity(Date date) throws CertificateExpiredException, CertificateNotYetValidException { // always pass } public int getVersion() { return cert.getVersion(); } public BigInteger getSerialNumber() { return cert.getSerialNumber(); } public Principal getIssuerDN() { return cert.getIssuerDN(); } public Principal getSubjectDN() { return cert.getSubjectDN(); } public Date getNotBefore() { return notBefore; } public Date getNotAfter() { return cert.getNotAfter(); } public byte[] getTBSCertificate() throws CertificateEncodingException { return cert.getTBSCertificate(); } public byte[] getSignature() { return cert.getSignature(); } public String getSigAlgName() { return cert.getSigAlgName(); } public String getSigAlgOID() { return cert.getSigAlgOID(); } public byte[] getSigAlgParams() { return cert.getSigAlgParams(); } public boolean[] getIssuerUniqueID() { return cert.getIssuerUniqueID(); } public boolean[] getSubjectUniqueID() { return cert.getSubjectUniqueID(); } public boolean[] getKeyUsage() { return cert.getKeyUsage(); } public int getBasicConstraints() { return cert.getBasicConstraints(); } public byte[] getEncoded() throws CertificateEncodingException { return cert.getEncoded(); } public void verify(PublicKey key) throws CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException { cert.verify(key); } public void verify(PublicKey key, String sigProvider) throws CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException { cert.verify(key, sigProvider); } public PublicKey getPublicKey() { return cert.getPublicKey(); } public String toString() { return cert.toString(); } } }