1 /*
   2  * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.
   8  *
   9  * This code is distributed in the hope that it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * version 2 for more details (a copy is included in the LICENSE file that
  13  * accompanied this code).
  14  *
  15  * You should have received a copy of the GNU General Public License version
  16  * 2 along with this work; if not, write to the Free Software Foundation,
  17  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  18  *
  19  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  20  * or visit www.oracle.com if you need additional information or have any
  21  * questions.
  22  */
  23 
  24 /*
  25  * @test
  26  * @bug 8076117
  27  * @summary EndEntityChecker should not process custom extensions
  28  *          after PKIX validation
  29  */
  30 
  31 import java.io.ByteArrayInputStream;
  32 import java.io.File;
  33 import java.io.FileInputStream;
  34 import java.security.KeyStore;
  35 import java.security.cert.CertPathValidatorException;
  36 import java.security.cert.Certificate;
  37 import java.security.cert.CertificateException;
  38 import java.security.cert.CertificateFactory;
  39 import java.security.cert.PKIXBuilderParameters;
  40 import java.security.cert.PKIXCertPathChecker;
  41 import java.security.cert.TrustAnchor;
  42 import java.security.cert.X509Certificate;
  43 import java.util.Collection;
  44 import java.util.Date;
  45 import java.util.HashSet;
  46 import java.util.Set;
  47 import sun.security.validator.KeyStores;
  48 import sun.security.validator.Validator;
  49 
  50 
  51 public class EndEntityExtensionCheck {
  52 
  53     /*
  54      * Owner: CN=TestCA
  55      * Issuer: CN=TestCA
  56      */
  57     private static final String CA =
  58         "-----BEGIN CERTIFICATE-----\n" +
  59         "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
  60         "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" +
  61         "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
  62         "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
  63         "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
  64         "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
  65         "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
  66         "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
  67         "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" +
  68         "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" +
  69         "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" +
  70         "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" +
  71         "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" +
  72         "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" +
  73         "-----END CERTIFICATE-----";
  74 
  75     /*
  76      * Owner: CN=TestEE
  77      * Issuer: CN=TestCA
  78      * Contains a custom critical extension with OID 1.2.3.4:
  79      *    #1: ObjectId: 1.2.3.4 Criticality=true
  80      *    0000: 00 00
  81      */
  82     private static final String EE =
  83         "-----BEGIN CERTIFICATE-----\n" +
  84         "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
  85         "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" +
  86         "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
  87         "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
  88         "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
  89         "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
  90         "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
  91         "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
  92         "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" +
  93         "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" +
  94         "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" +
  95         "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" +
  96         "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" +
  97         "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" +
  98         "3ZMpMAjITbuHHlFNUqZ7A9s=\n" +
  99         "-----END CERTIFICATE-----";
 100 
 101     public static void main(String[] args) throws Exception {
 102         X509Certificate[] chain = createChain();
 103 
 104         /* Test 1: Test SimpleValidator
 105          *  SimpleValidator doesn't check for unsupported critical
 106          *  extensions in the end entity certificate, and leaves that up
 107          *  to EndEntityChecker, which should catch such extensions.
 108          */
 109         KeyStore ks = KeyStore.getInstance("JKS");
 110         ks.load(null, null);
 111         ks.setCertificateEntry("testca", chain[chain.length - 1]);
 112 
 113         Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,
 114                                             Validator.VAR_TLS_CLIENT,
 115                                             KeyStores.getTrustedCerts(ks));
 116         try {
 117             v.validate(chain);
 118             throw new Exception("Chain should not have validated " +
 119                                 "successfully.");
 120         } catch (CertificateException ex) {
 121             // EE cert has an unsupported critical extension that is not
 122             // checked by SimpleValidator's extension checks, so this
 123             // failure is expected
 124         }
 125 
 126         /* Test 2: Test PKIXValidator without custom checker
 127          * PKIXValidator accepts PKIXParameters that can contain
 128          * custom PKIXCertPathCheckers, which would be run against
 129          * each cert in the chain, including EE certs.
 130          * Check that if PKIXValidator is not provided a custom
 131          * PKIXCertPathChecker for an unknown critical extension in
 132          * the EE cert, chain validation will fail.
 133          */
 134         TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null);
 135         Set<TrustAnchor> tas = new HashSet<>();
 136         tas.add(ta);
 137         PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null);
 138         params.setDate(new Date(115, 5, 1));   // 2015-05-01
 139         params.setRevocationEnabled(false);
 140 
 141         v = Validator.getInstance(Validator.TYPE_PKIX,
 142                                   Validator.VAR_TLS_CLIENT,
 143                                   params);
 144         try {
 145             v.validate(chain);
 146             throw new Exception("Chain should not have validated " +
 147                                 "successfully.");
 148         } catch (CertificateException ex) {
 149             // EE cert has an unsupported critical extension and
 150             // PKIXValidator was not provided any custom checker
 151             // for it, so this failure ie expected.
 152         }
 153 
 154         /* Test 3: Test PKIXValidator with custom checker
 155          * Check that PKIXValidator will successfully validate a chain
 156          * containing an EE cert with a critical custom extension, given
 157          * a corresponding PKIXCertPathChecker for the extension.
 158          */
 159         params = new PKIXBuilderParameters(tas, null);
 160         params.addCertPathChecker(new CustomChecker());
 161         params.setDate(new Date(115, 5, 1));   // 2015-05-01
 162         params.setRevocationEnabled(false);
 163 
 164         v = Validator.getInstance(Validator.TYPE_PKIX,
 165                                   Validator.VAR_TLS_CLIENT,
 166                                   params);
 167         v.validate(chain); // This should validate successfully
 168 
 169         System.out.println("Tests passed.");
 170     }
 171 
 172     public static X509Certificate[] createChain() throws Exception {
 173         CertificateFactory cf = CertificateFactory.getInstance("X.509");
 174         X509Certificate ee = (X509Certificate)
 175             cf.generateCertificate((new ByteArrayInputStream(EE.getBytes())));
 176         X509Certificate ca = (X509Certificate)
 177             cf.generateCertificate((new ByteArrayInputStream(CA.getBytes())));
 178 
 179         X509Certificate[] chain = {ee, ca};
 180         return chain;
 181     }
 182 
 183     /*
 184      * A custom PKIXCertPathChecker. Looks for a critical extension
 185      * in an end entity certificate with the OID 1.2.3.4.
 186      */
 187     static class CustomChecker extends PKIXCertPathChecker {
 188 
 189         @Override
 190         public void init(boolean forward) throws CertPathValidatorException {
 191             // nothing to do
 192         }
 193 
 194         @Override
 195         public boolean isForwardCheckingSupported() {
 196             return false;
 197         }
 198 
 199         @Override
 200         public Set<String> getSupportedExtensions() {
 201             Set<String> exts = new HashSet<>();
 202             exts.add("1.2.3.4");
 203             return exts;
 204         }
 205 
 206         @Override
 207         public void check(Certificate cert,
 208                           Collection<String> unresolvedCritExts)
 209                 throws CertPathValidatorException {
 210             X509Certificate currCert = (X509Certificate)cert;
 211             // check that this is an EE cert
 212             if (currCert.getBasicConstraints() == -1) {
 213                 if (unresolvedCritExts != null &&
 214                         !unresolvedCritExts.isEmpty()) {
 215                     unresolvedCritExts.remove("1.2.3.4");
 216                 }
 217             }
 218         }
 219 
 220     }
 221 }